steeve85

#!/usr/bin/env python
import httplib, os.path, argparse, pefile, struct

"""
pdb_downloader.py
v0.1

Steeve Barbeau
@steevebarbeau
steeve-barbeau.blogspot.com

steeve85

#!/usr/bin/env python

import twitter, argparse, time

"""
twicrypter.py
v0.1

Steeve Barbeau
@steevebarbeau

steeve85

#********************************************************************************
#*                               Dionaea
#*                           - catches bugs -
#*
#*
#*
#* Copyright (C) 2009  Paul Baecher & Markus Koetter
#* 
#* This program is free software; you can redistribute it and/or
#* modify it under the terms of the GNU General Public License

steeve85

[steeve@omega ~]$ nmap -sS -T 4 -A -O AAA.BBB.CCC.DDD
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-08 22:26 CEST
Nmap scan report for blah.blah.com (AAA.BBB.CCC.DDD)
Host is up (0.048s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)

steeve85

match backdoor m|^PWD$| p/Subseven backdoor/ i/**BACKDOOR**/ o/Windows/
match asterisk m|^Asterisk Call Manager/([\d.]+)\r\n| p/Asterisk Call Manager/ v/$1/
match quake3 m|^\xff\xff\xff\xffdisconnect$| p/Quake 3 dedicated server/

Probe TCP mydoom q|\x0d\x0d|
rarity 9
ports 706,3127-3198
match mydoom m|\x04\x5b\0\0\0\0\0\0| p/MyDoom virus backdoor/ v/v012604/

# Windows 2003

steeve85

match ftp m|^220 Welcome to the ftp service\r\n| p/Dionaea honeypot ftpd/ 
match http m|^HTTP/1\.0 200 OK\r\nContent-type: text/html; charset=utf-8\r\nContent-Length: 204\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3\.2 Final//EN\"><html>\n<title>Directory listing for /</title>\n<body>\n<h2>Directory listing for /</h2>\n<hr>\n<ul>\n<li><a href=\"\.\./\">\.\./</a>\n</ul>\n<hr>\n</body>\n</html>\n$| p/Dionaea honeypot httpd/ 
match microsoft-ds m|^\0...\xffSMBr\0\0\0\0\x98\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\x40\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\x10\0\0\0\0\x01\0\0\0\0\0\xfd\xe3\0\0..........\x00\x34\0W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0H\0O\0M\0E\0U\0S\0E\0R\0-\0.\0.\0.\0.\0.\0.\0\0\0|s p/Dionaea honeypot smbd/ 
match ms-sql-s m|^\x04\x01\x00\x2b\x00\x00\x00\x00\x00\x00\x1a\x00\x06\x01\x00\x20\x00\x01\x02\x00\x21\x00\x01\x03\x00\x22\x00\x00\x04\x00\x22\x00\x01\xff\x08\x00\x02\x10\x00\x00\x02\x00\x00| p/Dionaea honeypot MS-SQL server/ 

steeve85

def handle_established(self):
  self.processors()
  #self.reply(WELCOME_MSG, "Welcome to the ftp service")
  self.reply(WELCOME_MSG, "Microsoft FTP Service")

steeve85

def list_directory(self, path):
  #[..]
  r = []
  displaypath = cgi.escape(self.header.path)
  r.append('<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">')
  r.append("<html>\n<title>Directory listing for %s</title>\n" % displaypath)
  r.append("<body>\n<h2>Directory listing for %s</h2>\n" % displaypath)
  r.append("<hr>\n<ul>\n")
  for name in list:
    fullname = os.path.join(path, name)

steeve85

class SMB_Negociate_Protocol_Response(Packet):
  name="SMB Negociate Response"
  smb_cmd = SMB_COM_NEGOTIATE #0x72
  fields_desc = [
    #[..],
    ConditionalField(UnicodeNullField("OemDomainName", "HINMAP"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
    # "ServerName" field needed for case without CAP_EXTENDED_SECURITY
    ConditionalField(UnicodeNullField("ServerName", "TRYHARDER"), lambda x: not x.Capabilities & CAP_EXTENDED_SECURITY),
    #[..],]

steeve85

[steeve@omega ~]$ sudo nmap -sS -sV AAA.BBB.CCC.DDD
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-09 23:54 CEST
Nmap scan report for blah.blah.com (AAA.BBB.CCC.DDD)
Host is up (0.058s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
22/tcp   open  ssh           OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
42/tcp   open  tcpwrapped
80/tcp   open  http?