Steeve Barbeau steeve85

## redditInfosecJobs.py
#!/usr/bin/env python

import praw, datetime, time

class Reddit:

  def __init__(self):
    self.submissions = ['2s9m3i', '2rijej'] # to update when they change
    self.offers = {}
    self.r = praw.Reddit('Infosec jobs on Reddit')

## twicrypter.py
#!/usr/bin/env python

import twitter, argparse, time

"""
twicrypter.py
v0.1

Steeve Barbeau
@steevebarbeau

## malwarelu.py
#********************************************************************************
#*                               Dionaea
#*                           - catches bugs -
#*
#*
#*
#* Copyright (C) 2009  Paul Baecher & Markus Koetter
#*
#* This program is free software; you can redistribute it and/or
#* modify it under the terms of the GNU General Public License

## dionaea_scan1
[steeve@omega ~]$ nmap -sS -T 4 -A -O AAA.BBB.CCC.DDD
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-08 22:26 CEST
Nmap scan report for blah.blah.com (AAA.BBB.CCC.DDD)
Host is up (0.048s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)

## dionaea_probes
match ftp m|^220 Welcome to the ftp service\r\n| p/Dionaea honeypot ftpd/
match http m|^HTTP/1\.0 200 OK\r\nContent-type: text/html; charset=utf-8\r\nContent-Length: 204\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3\.2 Final//EN\"><html>\n<title>Directory listing for /</title>\n<body>\n<h2>Directory listing for /</h2>\n<hr>\n<ul>\n<li><a href=\"\.\./\">\.\./</a>\n</ul>\n<hr>\n</body>\n</html>\n$| p/Dionaea honeypot httpd/
match microsoft-ds m|^\0...\xffSMBr\0\0\0\0\x98\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\x40\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\x10\0\0\0\0\x01\0\0\0\0\0\xfd\xe3\0\0..........\x00\x34\0W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0H\0O\0M\0E\0U\0S\0E\0R\0-\0.\0.\0.\0.\0.\0.\0\0\0|s p/Dionaea honeypot smbd/
match ms-sql-s m|^\x04\x01\x00\x2b\x00\x00\x00\x00\x00\x00\x1a\x00\x06\x01\x00\x20\x00\x01\x02\x00\x21\x00\x01\x03\x00\x22\x00\x00\x04\x00\x22\x00\x01\xff\x08\x00\x02\x10\x00\x00\x02\x00\x00| p/Dionaea honeypot MS-SQL server/

## nmap_dionaea_ftp.py
def handle_established(self):
  self.processors()
  #self.reply(WELCOME_MSG, "Welcome to the ftp service")
  self.reply(WELCOME_MSG, "Microsoft FTP Service")

## nmap_probes
match backdoor m|^PWD$| p/Subseven backdoor/ i/**BACKDOOR**/ o/Windows/
match asterisk m|^Asterisk Call Manager/([\d.]+)\r\n| p/Asterisk Call Manager/ v/$1/
match quake3 m|^\xff\xff\xff\xffdisconnect$| p/Quake 3 dedicated server/

Probe TCP mydoom q|\x0d\x0d|
rarity 9
ports 706,3127-3198
match mydoom m|\x04\x5b\0\0\0\0\0\0| p/MyDoom virus backdoor/ v/v012604/

# Windows 2003

## nmap_dionaea_http.py
def list_directory(self, path):
  #[..]
  r = []
  displaypath = cgi.escape(self.header.path)
  r.append('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">')
  r.append("<html>\n<title>Directory listing for %s</title>\n" % displaypath)
  r.append("<body>\n<h2>Directory listing for %s</h2>\n" % displaypath)
  r.append("<hr>\n<ul>\n")
  for name in list:
    fullname = os.path.join(path, name)

## nmap_dionaea_smb.py
class SMB_Negociate_Protocol_Response(Packet):
  name="SMB Negociate Response"
  smb_cmd = SMB_COM_NEGOTIATE #0x72
  fields_desc = [
    #[..],
    ConditionalField(UnicodeNullField("OemDomainName", "HINMAP"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
    # "ServerName" field needed for case without CAP_EXTENDED_SECURITY
    ConditionalField(UnicodeNullField("ServerName", "TRYHARDER"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
    #[..],]

## nmap_scan2
[steeve@omega ~]$ sudo nmap -sS -sV AAA.BBB.CCC.DDD
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-09 23:54 CEST
Nmap scan report for blah.blah.com (AAA.BBB.CCC.DDD)
Host is up (0.058s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
22/tcp   open  ssh           OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
42/tcp   open  tcpwrapped
80/tcp   open  http?
	#!/usr/bin/env python

	import praw, datetime, time

	class Reddit:

	def __init__(self):
	self.submissions = ['2s9m3i', '2rijej'] # to update when they change
	self.offers = {}
	self.r = praw.Reddit('Infosec jobs on Reddit')
	#!/usr/bin/env python

	import twitter, argparse, time

	"""
	twicrypter.py
	v0.1

	Steeve Barbeau
	@steevebarbeau
	#********************************************************************************
	#* Dionaea
	#* - catches bugs -
	#*
	#*
	#*
	#* Copyright (C) 2009 Paul Baecher & Markus Koetter
	#*
	#* This program is free software; you can redistribute it and/or
	#* modify it under the terms of the GNU General Public License
	[steeve@omega ~]$ nmap -sS -T 4 -A -O AAA.BBB.CCC.DDD
	Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-08 22:26 CEST
	Nmap scan report for blah.blah.com (AAA.BBB.CCC.DDD)
	Host is up (0.048s latency).
	Not shown: 989 closed ports
	PORT STATE SERVICE VERSION
	21/tcp open ftp Dionaea honeypot ftpd
	\| ftp-anon: Anonymous FTP login allowed (FTP code 230)
	\|_Can't get directory listing: TIMEOUT
	22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
	match ftp m\|^220 Welcome to the ftp service\r\n\| p/Dionaea honeypot ftpd/
	match http m\|^HTTP/1\.0 200 OK\r\nContent-type: text/html; charset=utf-8\r\nContent-Length: 204\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3\.2 Final//EN\"><html>\n<title>Directory listing for /</title>\n<body>\n<h2>Directory listing for /</h2>\n<hr>\n<ul>\n<li><a href=\"\.\./\">\.\./</a>\n</ul>\n<hr>\n</body>\n</html>\n$\| p/Dionaea honeypot httpd/
	match microsoft-ds m\|^\0...\xffSMBr\0\0\0\0\x98\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\x40\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\x10\0\0\0\0\x01\0\0\0\0\0\xfd\xe3\0\0..........\x00\x34\0W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0H\0O\0M\0E\0U\0S\0E\0R\0-\0.\0.\0.\0.\0.\0.\0\0\0\|s p/Dionaea honeypot smbd/
	match ms-sql-s m\|^\x04\x01\x00\x2b\x00\x00\x00\x00\x00\x00\x1a\x00\x06\x01\x00\x20\x00\x01\x02\x00\x21\x00\x01\x03\x00\x22\x00\x00\x04\x00\x22\x00\x01\xff\x08\x00\x02\x10\x00\x00\x02\x00\x00\| p/Dionaea honeypot MS-SQL server/
	def handle_established(self):
	self.processors()
	#self.reply(WELCOME_MSG, "Welcome to the ftp service")
	self.reply(WELCOME_MSG, "Microsoft FTP Service")
	match backdoor m\|^PWD$\| p/Subseven backdoor/ i/BACKDOOR/ o/Windows/
	match asterisk m\|^Asterisk Call Manager/([\d.]+)\r\n\| p/Asterisk Call Manager/ v/$1/
	match quake3 m\|^\xff\xff\xff\xffdisconnect$\| p/Quake 3 dedicated server/

	Probe TCP mydoom q\|\x0d\x0d\|
	rarity 9
	ports 706,3127-3198
	match mydoom m\|\x04\x5b\0\0\0\0\0\0\| p/MyDoom virus backdoor/ v/v012604/

	# Windows 2003
	def list_directory(self, path):
	#[..]
	r = []
	displaypath = cgi.escape(self.header.path)
	r.append('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">')
	r.append("<html>\n<title>Directory listing for %s</title>\n" % displaypath)
	r.append("<body>\n<h2>Directory listing for %s</h2>\n" % displaypath)
	r.append("<hr>\n<ul>\n")
	for name in list:
	fullname = os.path.join(path, name)
	class SMB_Negociate_Protocol_Response(Packet):
	name="SMB Negociate Response"
	smb_cmd = SMB_COM_NEGOTIATE #0x72
	fields_desc = [
	#[..],
	ConditionalField(UnicodeNullField("OemDomainName", "HINMAP"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
	# "ServerName" field needed for case without CAP_EXTENDED_SECURITY
	ConditionalField(UnicodeNullField("ServerName", "TRYHARDER"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
	#[..],]
	[steeve@omega ~]$ sudo nmap -sS -sV AAA.BBB.CCC.DDD
	Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-09 23:54 CEST
	Nmap scan report for blah.blah.com (AAA.BBB.CCC.DDD)
	Host is up (0.058s latency).
	Not shown: 989 closed ports
	PORT STATE SERVICE VERSION
	21/tcp open ftp Microsoft ftpd
	22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
	42/tcp open tcpwrapped
	80/tcp open http?