python test ioc extractor

# Steps
# 1.) Drop IoCs [IP address or urls only currentl] from things below into "iocs.txt"
# - Emotet ( https://twitter.com/Cryptolaemus1 )
# - UrlHaus ( https://urlhaus.abuse.ch/downloads/csv_online/ )
# - Phish Tank ( https://www.phishtank.com/phish_search.php?page=1&active=y&valid=y&Search=Search )
# - Trickbot ( https://twitter.com/search?q=%23trickbot&src=typed_query&f=live )
# 2.) run script
import sys
import os
import re
from urllib.parse import urlparse
debug = 0
filepath = 'iocs.txt'
ipfilepath = 'ips.txt'
dnsfilepath = 'dns.txt'
ioccontainswhitelist = [
".sendgrid.net"
]
iocwhitelist = [
"google.com",
"www.google.com",
"urlhaus.abuse.ch",
"pastebin.com",
"ak.imgfarm.com",
"docs.google.com",
"drive.google.com",
"i.imgur.com",
"img.sobot.com",
"imgur.com",
"www.imgur.com",
"raw.githubusercontent.com",
"github.com",
"www.github.com",
"adobe.com",
"www.adobe.com",
"ibm.com",
"www.ibm.com",
"dell.com",
"www.dell.com",
"bing.com",
"www.bing.com",
"msn.com",
"www.msn.com",
"documentcloud.adobe.com",
"cisco.com",
"www.cisco.com",
"oshkosh.webex.com",
"l.yimg.com",
"yimg.com",
"dl.dropboxusercontent.com",
"dropbox.com",
"www.dropbox.com",
"godaddy.com",
"godaddysites.com",
"files.constantcontact.com",
"ipinfo.io",
"bit.ly",
"onedrive.live.com",
"000webhostapp.com",
"storage.googleapis.com",
"wikileaks.org",
"forms.gle",
"go2l.ink",
"capesandbox.com",
"twitter.com",
"paste.cryptolaemus.com",
"cryptolaemus.com",
"gist.githubusercontent.com",
"bitbucket.org",
"img1.wsimg.com",
"cdn.discordapp.com",
"web.mit.edu",
"bit.do",
"na3.docusign.net",
"sway.office.com",
"sites.google.com",
"aka.ms",
"login.microsoftonline.com",
"track.smtpsendmail.com",
"r20.rs6.net",
"files.gamebanana.com",
"sems.sas.com"
]
with open(filepath) as fp:
 rawLine = fp.readline().rstrip()
 ipResults = []
 dnsResults = []
 while rawLine:
  if debug:
   print("DEBUG: reviewing %s" % rawLine)
  found = 0
  ioc = None
  isIp = 0
  isDns = 0
  ipRegex = re.findall( r'(\d+\.\d+\.\d+\.\d+)', rawLine )
  if ipRegex:
   ioc = ipRegex[0]
   isIp = 1
   if debug:
    print("DEBUG: IP address %s" % ioc)
  if not ioc:
   urlRegex = re.search('http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\), ]|(?:%[0-9a-fA-F][0-9a-fA-F]))+', rawLine) 
   if urlRegex:
    parts = urlRegex.group().split('/')
    if parts and len(parts) > 2:
     ioc = urlRegex[0].split('/')[2]
     isDns = 1
     if debug:
      print("DEBUG: url with http %s" % ioc)
   if not ioc:
    if debug:
     print("DEBUG: checking url 2nd time")
    urlRegexV2 = re.search('^([a-zA-Z.]+\.([a-zA-Z]){2,7}\/.*)$', rawLine) 
    if urlRegexV2:
     parts = urlRegexV2.group().split('/')
     if parts and len(parts) > 0:
      ioc = parts[0]
      isDns = 1
      if debug:
       print("DEBUG: url without http %s" % ioc)
    else:
     if debug:
      print("DEBUG: checking url 3rd time")
     urlTest = re.search('^([a-zA-Z.]+)\.([a-zA-Z]){2,7}$', rawLine) 
     if urlTest:
      ioc = rawLine
      isDns = 1
      if debug:
       print("DEBUG: url domain only %s" % ioc)
  if ioc:
   ioc = ioc.lower()
   for ignoredIoc in iocwhitelist:
    if ioc == ignoredIoc.lower():
     found = 1
     if debug:
      print("DEBUG: ignored %s" % ioc)
     break
   for ignoredIoc in ioccontainswhitelist:
    if ignoredIoc.lower() in ioc:
     found = 1
     if debug:
      print("DEBUG: ignored %s" % ioc)
     break
   if found == 0:
    if "..." not in ioc:
     if isIp:
      ipResults.append(ioc)
     if isDns:
      dnsResults.append(ioc)
  rawLine = fp.readline()

ipResults = sorted(set(ipResults))
dnsResults = sorted(set(dnsResults))

with open(ipfilepath,"w+") as fp:
 for ioc in ipResults:
  fp.write("%s\n" % ioc)
 if len(ipResults) > 0:
  print("%s created" % ipfilepath)

with open(dnsfilepath,"w+") as fp:
 for ioc in dnsResults:
  fp.write("%s\n" % ioc)
 if len(dnsResults) > 0:
  print("%s created" % dnsfilepath)
 

phishing log hunting

import requests
import os
filepath = 'urls.txt'
folders = ["", "log", "logs", "script", "scripts"]
files = ["logs.txt", "log.txt", "log.html", "logs.html", "error_logs.txt", "error_log.txt", "script.txt", "1.php", "ise.txt", "user.txt", "users.txt", "stored.txt", "fullz.txt", "accounts.txt", "login.txt", "logins.txt", "U1.txt"]
printfailures = 0
foundcount = 0
quietmode = 1
printstatus = 1
searchcount = 0
with open(filepath) as fp:
 theurl = fp.readline()
 while theurl:
  searchcount = searchcount + 1
  theurl = theurl.strip()
  lastparen = theurl.rfind("/")
  baseurl = ""
  if lastparen > 10:
   baseurl = theurl[:lastparen]
  else:
   baseurl = theurl
  if printstatus == 1:
   if searchcount % 10 == 0:
    print("----------")
    print("STATUS   : %s done" % searchcount)
    print("----------")
  if quietmode == 0:
   print("----------")
   print("TESTING  : %s" % baseurl)
   print("----------")
  timeout = 0
  foundcount = 0
  for folder in folders:
   if timeout == 1:
    break
   if foundcount > 2:
    break
   for file in files:
    if timeout == 1:
     if quietmode == 0:
      print("**TIMEOUT DETECTED, CANCELLING")
     break
    if foundcount > 2:
     print("**HIGH HIT RATE DETECTED, STOPPING SEARCH, LIKELY FALSE POSITIVE")
     break
    stem = ("/%s/%s" % (folder, file))
    stem = stem.replace("//", "/")
    url = ("%s%s" % (baseurl, stem))
    try:
     response = requests.get(url, timeout=2)
     if response.status_code == 200:
      foundcount = foundcount + 1
      if quietmode == 1:
       if foundcount == 1:
        print("----------")
        print("URL      : %s" % baseurl)
        print("----------")
      print("=>FOUND<=: %s (RESPONSE: %s)" % ( stem , str(response.status_code) ))
     else:
      if printfailures == 1:
       if quietmode == 0:
        print("**FAIL   : %s (RESPONSE: %s)" % ( stem , str(response.status_code) ))
    except:
     timeout = 1
     if printfailures == 1:
      if quietmode == 0:
       print("**FAIL   : %s (TIMEOUT)" % theurl)
  if foundcount == 0:
   if quietmode == 0:
    print("**0 HITS")
  theurl = fp.readline()

Emotet failed attempt at Reversing

Just documenting my attempts for my own learning at reversing Emotet unpacker.

This may not be correct, I'm just learning so I may be completely misunderstanding or missing things

sample:
hxxps://www.internationalabacus[.]com/calendar/Lr/
https://www.virustotal.com/gui/file/eac3cec9d0fcd2de926b66c0720bed7d8a38c092aa42089ac9a6e3a72002c5da/detection
ceb166362f11a7769b71a2bcb5eb0e31












Interesting APIs to maybe try to break on

MoveFileExA (kernel32)
CreateProcessInternalW (kernel32)
RtlIPv4StringToAddress (ntdll)
UrlCanonicalizeW (SHLWAPI)
GetAddressInfoExW (WS2_32)
HttpSendRequestW (WinInet)

assembly basics: strcmp ; test eax, eax

push eax (1st string to compare)
push ecx (2nd string to compare)
call strcmp (do the compare using C library ... if same EAX = 0, if different EAX = 1)
test eax, eax (same as 'and eax, eax' ... so if EAX = 0 ZF = 1 ... if EAX = 1 ZF = 0)
jz loc_40124C (so jump if zero jumps if ZF = 1 ... which is when EAX = 0)

------

In simpler terms
- compare the 2 strings
- if same
  - EAX gets set to 0
  - ZF gets set to 1
  - JZ will jump because ZF = 1
- if different
  - EAX gets set to 1
  - ZF gets set to 0
  - JZ will NOT jump because ZF = 0

------

In simplest terms 

  if you see " strcmp ; test ; jz "
    JZ green if the 2 strings are the same (0)

    JZ red if the 2 strings are different (non 0)

  if you see " strcmp ; test ; jnz "
    JNZ green if the 2 strings are different (non 0)

    JNZ red if the 2 strings are the same (0)

  if you see " strlen; test ; jz "
    JZ green if empty string (0)

    JZ red if non-empty string (non 0)

  if you see " strlen ; test ; jnz "
    JNZ green if non-empty string (non 0)

    JNZ red if empty string (0)

  if you see " call; test ; jz "
    JZ green if function call successful (0)

    JZ red if function call failed (non 0)

  if you see " call ; test ; jnz "
    JNZ green if function call failed (non 0)

    JNZ red if function call successful (0)

  if you see " cmp ; test ; jz "
    JZ green if the 2 numbers are the same (0)

    JZ red if the 2 numbers are different (non 0)

  if you see " cmp ; test ; jnz "
    JNZ green if the 2 numbers are different (non 0)

    JNZ red if the 2 numbers are the same (0)

Jump arrows

Green: if condition is satisfied (JZ=0, JNZ=non-0)
Red: if the condition is not satisfied (JZ=non-0, JNZ=0)

list all ips in a range, genip

> genip 10.0.0.1-10

10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6
10.0.0.7
10.0.0.8
10.0.0.9
10.0.0.10

openvpn error, write to TUN/TAP: Input/output error (code=5)

if getting error: write to TUN/TAP: Input/output error (code=5)

type

> dhclient tap0     

then try again

this enabled dhcp on the tap0 interface

bettercap missing local to local traffic

issue i ran into

had 3 virtualbox vms
1.) linux running python SimpleHTTPServer, simulates a website, network set to "internal network"
2.) windows accessing the linux website in #1 above, simulates the victim, network set to "internal network"
3.) kali running bettercap, arp.spoof.targets = linux server #1 above and windows #2 above, will do MiTM (man-in-the-middle) against the 2 systems above, network set to "internal network"

Issue I ran into is that with ettercap (no 'b') it worked great, I could see the traffic going from windows box to linux web server ... BUT with bettercap the arp spoof seemed to work but the traffic was nowhere to be found when using tools like "net.sniff" or "https.proxy" on bettercap.

Root Cause:
    By default ettercap (no 'b') captures all traffic (local & external)
    By default bettercap only captures external traffic & ignores local to local traffic

Fix:
    set arp.spoof.internal true
    set net.sniff.local true

The enables capture of internal traffic and now I started seeing it!