Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: python

{Quick Post} More fun with Python ctypes – InternetConnectedState

As a followup to my simpleicmp ctypes post, I thought I’d post something about the wininet InternetGetConnectedState function for checking if the network connection is up.

Obviously you can go through the process of sending an icmp echo request and checking if there’s a response, but this is a lot simpler and cleaner (also less prone to issues if echo request are blocked, or the host just doesn’t respond to them). There may also be situations where your script is trying to be as quiet as possible on the network, and firing off random packets to see if the network is up is bad form.

Here’s a simple script that will tell you if the network connection is up or not.

# !/usr/bin/python
# -*- coding: utf-8 -*-

from ctypes import *
from ctypes.wintypes import DWORD

wininet = windll.wininet
flags = DWORD()
connected = wininet.InternetGetConnectedState(
             byref(flags),
             None,
             )
if not connected:
   print ' [!] No internet connection, cannot retrieve data'
else:
   print ' [>] Connection check confirmed'

Again, this is only a small cog in the machine, but I thought it was worth documenting here if only to stop me from forgetting it next time I need to use it 😉

Example:

As you can see, this method checks the connection of the network by checking the status of the network port and not by sending anything across the wire.

Links:

  • InternetGetConnectedState Function –> HERE

{Quick Post} Fun with Python ctypes – simpleicmp

As part of another project I’m working on in the background I’ve been playing some with Python’s ctypes. As a casual (and sadly bad) programmer Python ctypes are new to me, so I wanted to knock out a few simple scripts to test the waters. As it fit well with what I needed for my other project, and I couldn’t find anything already do it, I decided to write a simple script to send ICMP echo requests using Windows IcmpSendEcho function. The benefit of using this over something like RAW SOCKETS is the ability for non-administrative users to send ICMP echo requests and retain the ability to specify the data portion of the packet. This makes it useful for data exfiltration and shell over ICMP purposes.

Now, this idea isn’t new, and there are various tools that do more (or less) similar things. Some (most?) seem to need administrative access however, which is a pain, especially if you’re stuck as a standard user or need to prove that ICMP can be used for more than network troubleshooting.

A list of the ICMP related shells I found with the help of Google is at the end of this post.

I can’t really post the full source code in this blogpost, it’s far too long. However below is the basic structure of the call to IcmpSendEcho. To make this work there’s a lot of things that also need to be present obviously.

def IcmpSendEcho(handle, addr, data, options, timeout):
    reply = ICMP_ECHO_REPLY()
    data = data or ''
    if options:
       options = byref(options)
    r = icmp.IcmpSendEcho(handle, inet_addr(addr),
                          data,
                          len(data),
                          options,
                          byref(reply),
                          sizeof(ICMP_ECHO_REPLY) + len(data),
                          timeout)

For those with more than a passing interest a link to the Python source and a pyinstaller Windows 32 bit .exe are at the end of this post.

Example use:

A quick packet capture shows that 2 ICMP echo requests are sent to 8.8.8.8 containing the text “test icmp ” and “packet”.

As it is, this script isn’t that useful for anything but party tricks and showing your network team why ping from the desktop might be a security issue. However the code base can easily be worked into a full exfiltration tool by accepting a file input, and enabling some kind of encryption to avoid simple detection. Obviously this would need some sort of server end to easily decrypt the data, but that’s not a far stretch… unless you like fishing things out of PCAP files!

If you want to build the Python code into an exe yourself (what do you mean you don’t trust me 😛 ) then I strongly suggest getting the SVN version of PyInstaller (earlier versions have caused me problems in the past).

I’ll leave these as exercises for the reader while I work on some other projects 😉

Simpleicmp :

  • Python sourcecode –> HERE
  • Win32 (pyinstaller .exe) –> HERE
Feel free to leave any comments if you have ideas, uses, or generally want to laugh at by bad coding 😉

Links:

Apache Log Extractor [Alpha]

Just a quick post to give some info on a PoC script I threw together for extracting information from Apache Access logs.

Apache Log Extractor is a quick script to export URL information from Apache access logs. The thought behind this script was to provide a list of known URL’s on a remote server by analysing the logs. This list could then be used as the input for further testing tools (e.g Burp Suite – Intruder)

The script accepts an Apache access file as the input and creates an output file containing one URL per line. The list is unique and should only contain the URL without parameters (incomplete directory names are not extracted). It also takes these URLs and creates a wordlist output of all valid directoy names for use with brute-forcing etc…

Update: I’ve added support for extracting basic auth usernames as of version 0.4

Usage example .:

./apache_log_extractor.py access.log.1


Output Example .:

[ ] Extracting URLs from logfile : access.log.1

 [ ] Extracted URL :  /
 [ ] Extracted URL :  /Signed_Update.jar
 [ ] Extracted URL :  /ajax/bottomnavinfo.ashx
 [ ] Extracted URL :  /MetaAdServer/MAS.aspx?cp=seite1&ct=contentview_ressort&f=0
 [ ] Extracted URL :  /favicon.ico
 [ ] Extracted URL :  /EB3YKJjcJ5YvJ
 [ ] Extracted URL :  /MetaAdServer/MAS.aspx?cp=seite1&ct=contentview_ressort&f=1
 [ ] Extracted URL :  /AdServer/SponsorButtonC.aspx?ids=16965
 [ ] Extracted URL :  /Mail
 [ ] Extracted URL :  /css/layout.css

[ ] Extracting directory names from logfile

 [ ] Extracted Word :  ajax
 [ ] Extracted Word :  MetaAdServer
 [ ] Extracted Word :  AdServer
 [ ] Extracted Word :  css
 [ ] Extracted Word :  mail

You can find a download link for the Apache Log Extractor Python script through the links below.

Feedback is always gratefully received…

LINKS:

Printer MITM revisited: prn-2-me

Well it’s been a while since I wrote about man in the middling printers (original post here), but I’ve not been totally ignoring the subject. After releasing the UA-Tester tool and writing a few small scripts for things like scr.im, I went back and had a look at the printer MITM topic with a mind to writing up a tool (in python obviously) to automate some of it. The result is a workable PoC tool called prn-2-me (mostly because it was late, and all creativity was long gone… sorry, no snazzy title this time!).

PRN-2-me is a simple listener that can be configured to run on any port (default is 9100 for jetdirect style connections). The tool will then save all incoming PCL and PostScript print jobs to file and forward them on to the real printer.

Now that you’ve got the print jobs saved to disk, it’s a simple task of sifting through them and seeing what nuggets of gold you’ve captured.

Postscript (PS): The simple format… you can open .ps files in most operating systems without any specialist software needed. Click and run… These files are also a LOT better quality than the PCL alternatives. If you don’t believe me just check out the samples.

Sample PS file –> HERE

PCL: Not so simple… PCL isn’t well supported when it comes to viewers. However all is not lost. There are 2 options here.

OpenPCL Viewer – Java based viewer (project can be found here)

GhostPCL  – By grabbing the source for GhostPDL you can compile PCL and/or XPS support to easily convert to other formats (project can be found here)

Example command line (example output):

pcl6 -sDEVICE=pdfwrite -sOutputFile=job_001_PCL.pdf job_001_PCL.pcl

Sample PCL file –> HERE

So, what’s next!

I’ve given up promising things on the blog, as I’ve already got a plate full of other projects waiting to start. Still, I hope to implement the same functionality into Metasploit at some point. There’s no reason why one of the capture modules couldn’t be re-written to capture printer traffic to file. If I can do it, it can’t be that complex after all 😉

The script is available for download HERE or in the tools section.

The tool is licensed under a mixture of BEERware (where you buy me beers if you like the tool) and FEEDBACKware (where you tell me how crap it is so I can make it better). Enjoy!