Skip to content

Instantly share code, notes, and snippets.

@steeve85
steeve85 / pdb_downloader.py
Created May 12, 2012 09:30
Python PDB downloader. kind of alternative to Microsoft's symchk.exe
#!/usr/bin/env python
import httplib, os.path, argparse, pefile, struct
"""
pdb_downloader.py
v0.1
Steeve Barbeau
@steevebarbeau
steeve-barbeau.blogspot.com
@steeve85
steeve85 / twicrypter.py
Created May 12, 2012 18:32
Punish twitter account who tweet "crypter" or "cryptage"
#!/usr/bin/env python
import twitter, argparse, time
"""
twicrypter.py
v0.1
Steeve Barbeau
@steevebarbeau
@steeve85
steeve85 / malwarelu.py
Created May 28, 2012 22:41
[broken] Dionaea module to upload files/malwares to malware.lu
#********************************************************************************
#* Dionaea
#* - catches bugs -
#*
#*
#*
#* Copyright (C) 2009 Paul Baecher & Markus Koetter
#*
#* This program is free software; you can redistribute it and/or
#* modify it under the terms of the GNU General Public License
@steeve85
steeve85 / dionaea_scan1
Created June 9, 2012 21:21
Nmap Dionaea scan
[steeve@omega ~]$ nmap -sS -T 4 -A -O AAA.BBB.CCC.DDD
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-08 22:26 CEST
Nmap scan report for blah.blah.com (AAA.BBB.CCC.DDD)
Host is up (0.048s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
@steeve85
steeve85 / nmap_probes
Created June 9, 2012 21:32
Nmap probes examples
match backdoor m|^PWD$| p/Subseven backdoor/ i/**BACKDOOR**/ o/Windows/
match asterisk m|^Asterisk Call Manager/([\d.]+)\r\n| p/Asterisk Call Manager/ v/$1/
match quake3 m|^\xff\xff\xff\xffdisconnect$| p/Quake 3 dedicated server/
Probe TCP mydoom q|\x0d\x0d|
rarity 9
ports 706,3127-3198
match mydoom m|\x04\x5b\0\0\0\0\0\0| p/MyDoom virus backdoor/ v/v012604/
# Windows 2003
@steeve85
steeve85 / dionaea_probes
Created June 9, 2012 21:34
Nmap dionaea probes
match ftp m|^220 Welcome to the ftp service\r\n| p/Dionaea honeypot ftpd/
match http m|^HTTP/1\.0 200 OK\r\nContent-type: text/html; charset=utf-8\r\nContent-Length: 204\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3\.2 Final//EN\"><html>\n<title>Directory listing for /</title>\n<body>\n<h2>Directory listing for /</h2>\n<hr>\n<ul>\n<li><a href=\"\.\./\">\.\./</a>\n</ul>\n<hr>\n</body>\n</html>\n$| p/Dionaea honeypot httpd/
match microsoft-ds m|^\0...\xffSMBr\0\0\0\0\x98\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\x40\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\x10\0\0\0\0\x01\0\0\0\0\0\xfd\xe3\0\0..........\x00\x34\0W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0H\0O\0M\0E\0U\0S\0E\0R\0-\0.\0.\0.\0.\0.\0.\0\0\0|s p/Dionaea honeypot smbd/
match ms-sql-s m|^\x04\x01\x00\x2b\x00\x00\x00\x00\x00\x00\x1a\x00\x06\x01\x00\x20\x00\x01\x02\x00\x21\x00\x01\x03\x00\x22\x00\x00\x04\x00\x22\x00\x01\xff\x08\x00\x02\x10\x00\x00\x02\x00\x00| p/Dionaea honeypot MS-SQL server/
@steeve85
steeve85 / nmap_dionaea_ftp.py
Created June 9, 2012 22:18
dionaea ftp function
def handle_established(self):
self.processors()
#self.reply(WELCOME_MSG, "Welcome to the ftp service")
self.reply(WELCOME_MSG, "Microsoft FTP Service")
@steeve85
steeve85 / nmap_dionaea_http.py
Created June 9, 2012 22:27
Nmap Dionaea http
def list_directory(self, path):
#[..]
r = []
displaypath = cgi.escape(self.header.path)
r.append('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">')
r.append("<html>\n<title>Directory listing for %s</title>\n" % displaypath)
r.append("<body>\n<h2>Directory listing for %s</h2>\n" % displaypath)
r.append("<hr>\n<ul>\n")
for name in list:
fullname = os.path.join(path, name)
@steeve85
steeve85 / nmap_dionaea_smb.py
Created June 9, 2012 22:32
Nmap Dionaea SMB
class SMB_Negociate_Protocol_Response(Packet):
name="SMB Negociate Response"
smb_cmd = SMB_COM_NEGOTIATE #0x72
fields_desc = [
#[..],
ConditionalField(UnicodeNullField("OemDomainName", "HINMAP"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
# "ServerName" field needed for case without CAP_EXTENDED_SECURITY
ConditionalField(UnicodeNullField("ServerName", "TRYHARDER"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
#[..],]
@steeve85
steeve85 / nmap_scan2
Created June 9, 2012 22:36
Nmap Dionaea stealthier scan
[steeve@omega ~]$ sudo nmap -sS -sV AAA.BBB.CCC.DDD
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-09 23:54 CEST
Nmap scan report for blah.blah.com (AAA.BBB.CCC.DDD)
Host is up (0.058s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
42/tcp open tcpwrapped
80/tcp open http?