Breaking Code

April 2, 2010

Using Impacket/Pcapy with Python 2.6 on Windows

Filed under: Tools — Tags: , , , , , , , , , , — Mario Vilas @ 5:30 pm

Hello everyone! Today we’ll be installing Impacket and Pcapy for Python 2.6 on Windows. The Impacket module lets you parse network packets, this is very useful for example when developing a sniffer. The Pcapy module interfaces with WinPcap to do the actual packet capture.

From the CORE Security webpage:

What is Impacket?

Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

What is Pcapy?

Pcapy is a Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network. Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.

There is a problem though – Pcapy hasn’t been updated in quite a while, so there is no MSI installer for Python 2.6. I’ve built it myself and hosted in here in the blog, so you don’t have to. :) I’ve also built an EXE installer for Impacket, it’s not really needed since it’s a pure Python module, but why not?

So this is the list of files we’ll be needing:

WinPcap_4_1_1.exe

pcapy-0.10.5.win32-py2.6.msi

Impacket-0.9.8.0.win32.exe

Installation is now pretty much straight forward. After running all the installers, let’s try it out with this example script to dump all connection attempts by sniffing SYN packets:

    C:\Documents and Settings\Mario Vilas\Desktop>python connections.py
    Available network interfaces:
            1 - \Device\NPF_GenericDialupAdapter
            2 - \Device\NPF_{5BE055D9-461D-4F51-99DD-188224D1A6D0}
            3 - \Device\NPF_{9B7DC2FB-7660-4E68-B4EC-DB9682C76E40}
            4 - \Device\NPF_{166A618C-4230-42E7-93AD-298D1145F5BC}
            5 - \Device\NPF_{BE987C8D-D523-49B8-8B95-DDDBAA46EB3F}

    Choose an interface [0 to quit]: 2
    Listening on: \Device\NPF_{5BE055D9-461D-4F51-99DD-188224D1A6D0}
    Connection attempt 10.0.2.15 -> 192.168.254.254
    Connection attempt 10.0.2.15 -> 192.168.254.254
    Connection attempt 10.0.2.15 -> 192.168.254.254
    Connection attempt 10.0.2.15 -> 192.168.254.254
    Connection attempt 10.0.2.15 -> 192.168.254.254
    Connection attempt 10.0.2.15 -> 209.85.227.106
    Connection attempt 10.0.2.15 -> 209.85.227.104
    Connection attempt 10.0.2.15 -> 209.85.227.104
    Connection attempt 10.0.2.15 -> 209.85.227.104
    Connection attempt 10.0.2.15 -> 209.85.227.100
    ^C

Below is the source code to the script. Enjoy! :)

Updates

  • A newer version of Impacket is hosted at Google Code, so I built a new installer. The previous version of the installer, based on the version of Impacket found in the Core Security webpage, is still available here: Impacket-0.9.6.0.win32.exe
  • Ge0 has built Pcapy for Python 2.7 using MingW to avoid having a depencency against the Visual Studio runtimes. You can download it from here: pcapy.pyd

Download

connections.py

Source code

(more…)

January 18, 2010

Quickpost: Converting shellcode to executable files using InlineEgg

Filed under: Tools — Tags: , , , , , — Mario Vilas @ 7:42 pm

Today I found this through Twitter: a web service to convert shellcode to executable files. Here’s the link to it: http://sandsprite.com/shellcode_2_exe.php.

Then I thought: hey, why do we have to send our beautiful shellcodes to someone else on the Internet when we can do it all locally? :)

So I whipped up this quick Python script using CORE’s InlineEgg package. It was coded in a few minutes so don’t blame me if it’s got bugs ;) instead let me know about it and I’ll try to fix it.

Enjoy! :)

Updates

  • Anand Sastry has tweaked the script to accept not only shellcode in binary form, but also shellcode encoded as a ‘\x’ ASCII string. Check it out!
  • Moved the source code to Github

Download

shellcode2exe.py

Source code

(more…)

November 29, 2008

Ouroboros.py

Filed under: Just for fun — Tags: , , , — Mario Vilas @ 2:41 am

This is a little nonsense I just wrote after reading the Wikipedia entry for Ouroboros. Turns out this kind of programs already have a name too, Quine.

In this case it’s a Python script that uses InlineEgg to generate an ELF32 binary that generates a Python script that uses InlineEgg to generate an ELF32 binary that generates a Python script that uses InlineEgg to… well, you get the point. :)

Yeah, I know this is not really about computer security, but what the hell. It’s got Python and shellcode somewhere anyway.

A real Ouroboros!

A real Ouroboros!

Ouroboros.py

#!/usr/bin/python

from sys import argv, stdout
from inlineegg.inlineegg import InlineEgg, Linuxx86Syscall
from inlineegg.exelib import Elf32Program

script = open(argv[0], 'r').read()
egg = InlineEgg(Linuxx86Syscall)
egg.write(1, script, len(script))
egg.exit(0)
prg = Elf32Program()
prg.arch = prg.ARCH_I386
prg.addCode(str(egg))
stdout.write(prg.bytes())

November 28, 2008

Hello world!

Filed under: Just for fun — Tags: , , , , — Mario Vilas @ 2:01 am

Hello there, welcome to my blog. I’ll begin with some useless welcome post, like most blogs do :) and make it worse with an incredibly nerdy thing to do:

31 db 43 68 21 0a 00 00
68 6f 72 6c 64 68 6f 2c
20 77 68 48 65 6c 6c 89
e1 6a 0e 5a 6a 04 58 cd
80 31 db 31 c0 40 cd 80

Nope, it’s not a Cthulhu chant in some strange and ancient Unicode encoding. I admit it might have been though – we all know Unicode is evil.

No… It’s nothing but a… green-and-black Matrix themed “Hello World” Linux shellcode! :D

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 2,480 other followers