This post was inspired by the book “Offensive Countermeasures: The Art of Active Defenses” by Paul Asadoorian and John Strand, so if you like this post you should check out the book for more tricks.

Python is an extremely powerful scripting language that allows you to accomplished complex tasks in a few simple lines of code.  This month PrimalSec created several scripts that can be used in Cyber competitions.  All these tools are available via our Github: https://github.com/primalsecn/python_code/

Below is a quick overview of the tools we are releasing this month:

  • iptrap.py – This tool listens on a port for connections and will automatically block any IP via Iptables that makes a full TCP connection.
  • Flytrap.py / Flytrap.exe – Same idea of iptrap.py just ported over to work with Windows and compiled into a Portable Executable (PE).
  • smbouncer.py- Scans targets for SMB vulnerabilities and automatically launches exploits via msfcli (MS08-067, and MS09-050) with a Meterpreter payload

iptrap.py

iptrap.py is a tool that is designed to sit on the wire as a booby trap and block any IP that makes a full TCP connection to that port.  Simple SYNs wont cause the script to create an iptables rule, but if you attempt to establish a full TCP connection, such as in the case as banner grabbing iptrap will block the IP.  The idea here is you would have this listen on a port that is commonly scanned, but is a service that the host isn’t offering.  So if this host doesn’t listen on 80 you could have iptrap sitting on port 80 waiting for a connection attempt.  Below are screen shots of the tool in action:

In the example above iptrap.py was set to listen on port 4444 for incoming connections.  Then we used netcat to make a quick connection to TCP 4444 to demonstrate how it will automatically block that IP address via an iptables rule.  As you might imagine blocking the loopback address could be a problem, so we built in switches to white list IPs,  list the current rules, and flush out the rules that were automatically added:

 

Flytrap.exe

Flytrap.exe is essentially the iptrap.py script ported over for Windows.  It can listen on a port specified via a command line switch and automatically block incoming connections using the built-in Windows firewall.  Flytrap.exe is actually a Python script that is compiled into a Windows Portable Executable (PE) using PyInstaller.  Later in this post we will demonstrate how you can compile Python scripts into PE files to make it more portable for Windows use.  Flytrap.exe uses netsh advfirewall commands that were implemented in Windows Vista and newer, so it currently isn’t designed to work on XP.  Below is a screen shot demonstrating Flytrap.exe in action:

 

smbouncer.py

smbouncer.py is a tool that is designed for rapid enumeration and exploitation of Windows SMB vulnerabilities.  It targets MS08-067 and MS09-050, which are extremely common vulnerabilities found in cyber competitions.  Normally these can give you some quick wins to dump password hashes and pivot to other machines via Pass-the-Hash techniques.  smbouncer.py bounces across the network looking for these Windows SMB vulnerabilities using Python-nmap and then launches an exploit at the service using msfcli with a Meterpreter reverse_tcp payload.  Below is an example of setting a target with switch “-t” and a local address to bind the msf listener service with switch “-l”:

This tool essentially uses the Nmap Scripting Engine (NSE) script smb-check-vulns and it can be run with unsafe checks enabled with –unsafe.  Just beware with the switch “–unsafe”  you may DoS the service.  Looking at the code you can see how you might apply this to other vulnerabilities and exploits:

smb

You can setup Python-nmap to scan for a service and then based on its findings pass the relevant information to an exploit function to invoke msfcli.  Alternatively, you could design your script to build a MSF resource file (.rc) and invoke that within msfconsole instead of launching the exploit using msfcli.

Generating Python Executables with PyInstaller

First we must download the necessary dependencies, which include python (version 2.7 in this example), and in the case of windows, cygwin (or some other variant, we are using PyWin).

Linux: sudo apt-get install python2.7 build-essential python-dev zlib1g-dev upx
Windows: http://www.activestate.com/activepython (fully packaged installer file)

After downloading the necessary dependencies, we can download the current version of PyInstaller from the following link: http://sourceforge.net/projects/pyinstaller/files/2.0/pyinstaller-2.0.tar.bz2/download

(MD5:c62dd506bcde230d87ea11a1c316b590)

After install –

Next we can run the following command to generate the python executable script: python pyintaller.py –options script/script.py

This will process the python script, pull the necessary import dependencies, and generate a new folder containing a script.txt, a script.spec, and a script.exe. The script.exe can now be used, and the .txt and .spec can be removed.

After building the executable –

The Python script has now been compiled into a Windows PE file and can be executed on Windows without using a Python interpreter.  This allows you to more easily move your code between instances of Windows without worrying about dependencies.

 

Additional Tools to Consider:
Mess up scanning tools:
https://code.google.com/p/weblabyrinth/
http://sourceforge.net/p/adhd/wiki/Spidertrap/  — We really like spidertrap.py very quick and easy to deploy/use
http://labrea.sourceforge.net/labrea-info.html

Booby Trap a webpage with BeEF?  Yes touch /admin/admin.php, please!
Claymore – Scans IP that connects to the fake network:
https://github.com/mayhemiclabs/claymore
Artillery.py – Host monitoring tool that can listen on ports/autoban, and monitor file changes: