Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Apress
committed
Oct 7, 2016
0 parents
commit df267e8
Showing
10 changed files
with
8,013 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,369 @@ | ||
Listing 7-1. Source Code of Test.sh | ||
DATE=`date` | ||
echo "$DATE: Started From $1 Port $2" >> /tmp/log | ||
echo SSH-1.5-2.40 | ||
while read name | ||
do | ||
echo "$name" >> /tmp/log | ||
echo "$name" | ||
done | ||
|
||
Listing 7-2. Modified Test.sh | ||
DATE=`date` | ||
echo "$DATE: Started From $1 Port $2" >> ssh.log | ||
echo SSH-1.5-2.40 | ||
while read name | ||
do | ||
echo "$name" >> ssh.log | ||
echo "$name" | ||
done | ||
|
||
Listing 7-3. Source Code of Router-telnet.pl | ||
# Copyright 2002 Niels Provos <provos@citi.umich.edu> | ||
# All rights reserved. | ||
# For the license refer to the main source code of Honeyd. | ||
# Don't echo Will Echo Will Surpress Go Ahead | ||
$return = pack('ccccccccc', 255, 254, 1, 255, 251, 1, 255, 251, 3); | ||
syswrite STDOUT, $return, 9; | ||
$string = | ||
"Users (authorized or unauthorized) have no explicit or\r | ||
implicit expectation of privacy. Any or all uses of this\r | ||
system may be intercepted, monitored, recorded, copied,\r | ||
audited, inspected, and disclosed to authorized site,\r | ||
and law enforcement personnel, as well as to authorized\r | ||
officials of other agencies, both domestic and foreign.\r | ||
By using this system, the user consents to such\r | ||
interception, monitoring, recording, copying, auditing,\r | ||
inspection, and disclosure at the discretion of authorized\r | ||
site.\r | ||
\r | ||
Unauthorized or improper use of this system may result in\r | ||
administrative disciplinary action and civil and criminal\r | ||
penalties. By continuing to use this system you indicate\r | ||
your awareness of and consent to these terms and conditions\r | ||
of use. LOG OFF IMMEDIATELY if you do not agree to the\r | ||
conditions stated in this warning.\r | ||
\r | ||
\r | ||
\r | ||
User Access Verification\r | ||
"; | ||
syswrite STDOUT, $string; | ||
open(O, ">C:\\fff"); | ||
$count = 0; | ||
while ($count < 3) { | ||
do { | ||
$count++; | ||
syswrite STDOUT, "\r\n"; | ||
$word = read_word("Username: ", 1); | ||
} while (!$word && $count < 3); | ||
if ($count >= 3 && !$word) { | ||
exit; | ||
} | ||
$password = read_word("Password: ", 0); | ||
if (!$password) { | ||
syswrite STDOUT, "% Login invalid\r\n"; | ||
} else { | ||
syswrite STDERR, "Attempted login: $word/$password"; | ||
syswrite STDOUT, "% Access denied\r\n"; | ||
} | ||
} | ||
exit; | ||
sub read_word { | ||
local $prompt = shift; | ||
local $echo = shift; | ||
local $word; | ||
syswrite STDOUT, "$prompt"; | ||
$word = ""; | ||
$alarmed = 0; | ||
eval { | ||
local $SIG{ALRM} = sub { $alarmed = 1; die; }; | ||
alarm 30; | ||
$finished = 0; | ||
do { | ||
$nread = sysread STDIN, $buffer, 1; | ||
print O "RET: " . $nread . " BUF: " . $buffer . "\n"; | ||
die unless $nread; | ||
if (ord($buffer) == 0) { | ||
; #ignore | ||
} elsif (ord($buffer) == 255) { | ||
sysread STDIN, $buffer, 2; | ||
} elsif (ord($buffer) == 13 || ord($buffer) == 10) { | ||
syswrite STDOUT, "\r\n" if $echo; | ||
$finished = 1; | ||
} else { | ||
syswrite STDOUT, $buffer, 1 if $echo; | ||
$word = $word.$buffer; | ||
} | ||
} while (!$finished); | ||
alarm 0; | ||
}; | ||
syswrite STDOUT, "\r\n" if $alarmed || ! $echo; | ||
if ($alarmed) { | ||
syswrite STDOUT, "% $prompt timeout expired!\r\n"; | ||
return (0); | ||
} | ||
return ($word); | ||
} | ||
|
||
Listing 7-4. Source Code of Web.sh | ||
#!/bin/sh | ||
REQUEST="" | ||
while read name | ||
do | ||
LINE=`echo "$name" | egrep -i "[a-z:]"` | ||
if [ -z "$LINE" ] | ||
then | ||
break | ||
fi | ||
echo "$name" >> /tmp/log | ||
NEWREQUEST=`echo "$name" | grep "GET .scripts.*cmd.exe.*dir.* HTTP/1.0"` | ||
if [ ! -z "$NEWREQUEST" ] ; then | ||
REQUEST=$NEWREQUEST | ||
fi | ||
done | ||
|
||
if [ -z "$REQUEST" ] ; then | ||
cat << _eof_ | ||
HTTP/1.1 404 NOT FOUND | ||
Server: Microsoft-IIS/5.0 | ||
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA Content-Location: http://cpmsftwbw27/default.htm | ||
Date: Thu, 04 Apr 2002 06:42:18 GMT | ||
Content-Type: text/html | ||
Accept-Ranges: bytes | ||
|
||
<html><title>You are in Error</title> | ||
<body> | ||
<h1>You are in Error</h1> | ||
O strange and inconceivable thing! We did not really die, we were not really buried, we were not really crucified and raised again, but our imitation was but a figure, while our salvation is in reality. Christ was actually crucified, and actually buried, and truly rose again; and all these things have been vouchsafed to us, that we, by imitation communicating in His sufferings, might gain salvation in reality. O surpassing loving-kindness! Christ received the nails in His undefiled hands and feet, and endured anguish; while to me without suffering or toil, by the fellowship of His pain He vouchsafed salvation. | ||
<p> | ||
St. Cyril of Jerusalem, On the Christian Sacraments. | ||
</body> | ||
</html> | ||
_eof_ | ||
exit 0 | ||
fi | ||
DATE=`date` | ||
cat << _eof_ | ||
HTTP/1.0 200 OK | ||
Date: $DATE | ||
Server: Microsoft-IIS/5.0 | ||
Connection: close | ||
Content-Type: text/plain | ||
Volume in drive C is Webserver | ||
Volume Serial Number is 3421-07F5 | ||
Directory of C:\inetpub | ||
01-20-02 3:58a <DIR> . | ||
08-21-01 9:12a <DIR> .. | ||
08-21-01 11:28a <DIR> AdminScripts | ||
08-21-01 6:43p <DIR> ftproot | ||
07-09-00 12:04a <DIR> iissamples | ||
07-03-00 2:09a <DIR> mailroot | ||
07-16-00 3:49p <DIR> Scripts | ||
07-09-00 3:10p <DIR> webpub | ||
07-16-00 4:43p <DIR> wwwroot | ||
0 file(s) 0 bytes | ||
20 dir(s) 290,897,920 bytes free | ||
_eof_ | ||
|
||
Listing 7-5. Script Used to Clean MSBlaster Worm from Originating Hosts | ||
# Launches a DCOM exploit toward the infected attacking host | ||
# and then run cleaning commands in the remote DOS shell obtained | ||
./dcom_exploit -d $1 << EOF | ||
REM Executes the following orders on the host : | ||
REM 1) Kill the running process MSBlast.exe | ||
taskkill /f /im msblast.exe /t | ||
REM 2) Eliminate the binary of the worm | ||
del /f %SystemRoot%\system32\msblast.exe | ||
REM 3) Clean the registry | ||
echo Regedit4 > c: \cleanerMSB.reg | ||
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ | ||
CurrentVersion\Run] >> c:\cleanerMSB.reg | ||
echo "auto windows update" = "REM msblast.exe" >> c: \cleanerMSB.reg | ||
regedit /s c: \cleanerMSB.reg | ||
del /f c:\cleanerMSB.reg | ||
REM N) Specific actions to update the Windows host could be added here | ||
REM N+1) Reboot the host | ||
shutdown -r -f -t 0 exit | ||
EOF | ||
|
||
Listing 7-6. Ms-ftp.sh Script File Mimicking a Microsoft FTP Server | ||
SRCIP=$1 | ||
SRCPORT=$2 | ||
DSTIP=$3 | ||
DSTPORT=$4 | ||
SERVICE="MSFTP/FTP" | ||
HOST="ftp.banneretcs.com" | ||
AUTH="no" | ||
PASS="no" | ||
DATFILES="ftpfiles" | ||
LOG=ftp.log | ||
pwd="/" | ||
passive=0 | ||
#dataport=1234 | ||
dataport=$[$SRCPORT+1] | ||
type="ASCII" | ||
mode="S" | ||
|
||
echo -e "220 $HOST Microsoft FTP Service" | ||
|
||
while read incmd parm1 parm2 parm3 parm4 parm5 | ||
do | ||
# remove control characters | ||
incmd=`echo $incmd | ssed s/[[:cntrl:]]//g` | ||
parm1=`echo $parm1 | ssed s/[[:cntrl:]]//g` | ||
parm2=`echo $parm2 | ssed s/[[:cntrl:]]//g` | ||
parm3=`echo $parm3 | ssed s/[[:cntrl:]]//g` | ||
parm4=`echo $parm4 | ssed s/[[:cntrl:]]//g` | ||
parm5=`echo $parm5 | ssed s/[[:cntrl:]]//g` | ||
|
||
# convert to uppercase | ||
incmd_nocase=`echo $incmd | gawk '{print toupper($0);}'` | ||
#echo $incmd_nocase | ||
|
||
# log user input | ||
echo "$incmd $parm1 $parm2 $parm3 $parm4 $parm5" >> $LOG | ||
|
||
# check for login | ||
if $AUTH == "no" | ||
then | ||
if "$incmd_nocase" != "USER" | ||
then | ||
if "$incmd_nocase" != "QUIT" | ||
then | ||
echo -e "User ($SRCIP:(none)):" | ||
continue | ||
fi | ||
fi | ||
fi | ||
|
||
# parse commands | ||
case $incmd_nocase in | ||
|
||
QUIT* ) | ||
echo -e "221 \r" | ||
;; | ||
HELP* ) | ||
echo -e "Commands may be abbreviated. Commands are:" | ||
echo -e " " | ||
echo -e "! delete literal prompt send" | ||
echo -e "? debug ls put status" | ||
echo -e "append dir mdelete pwd trace " | ||
echo -e "ascii disconnect mdir quit type" | ||
echo -e "bell get mget quote user" | ||
echo -e "binary glob mkdir recv verbose" | ||
echo -e "bye hash mls remotehelp" | ||
echo -e "cd help mput rename" | ||
echo -e "close lcd open rmdir" | ||
echo -e "ftp>" | ||
;; | ||
USER* ) | ||
parm1_nocase=`echo $parm1 | gawk '{print toupper($0);}'` | ||
if [ "$parm1_nocase" == "ANONYMOUS" ]; then | ||
echo -e "331 Anonymous access allowed, send identity | ||
(e-mail name) as password.\r" | ||
AUTH="ANONYMOUS" | ||
else | ||
echo -e "331 Password required for $parm1." | ||
echo -e "Password: " | ||
AUTH=$parm1 | ||
fi | ||
;; | ||
PASS* ) | ||
PASS=$parm1 | ||
if "$AUTH" == "ANONYMOUS" ; then | ||
rand=`head -c 4 /dev/urandom | hexdump | ssed -e 's/[0 a-z]//g' | head -c 2` | ||
echo -e "230 Anonymous user logged in.\r" | ||
else | ||
echo -e "530 Login incorrect.\r" | ||
fi | ||
;; | ||
MDIR* ) | ||
if [ `echo "$parm1" | grep ^/ >/dev/null && echo 1` ]; then | ||
|
||
if `cat $DATFILES | ssed -e 's!/.*/$!/!' | grep "$parm1.*\[.*w.*\]" 2>&1 >/dev/null | ||
&& echo 1`; then | ||
echo -e "257 \"$parm1\" new directory created.\r" | ||
echo -e "$parm1/\t[drwx]" | ssed 's!//*!/!g' >> $DATFILES | ||
else | ||
echo -e "550 $parm1: Permission denied.\r" | ||
fi | ||
else | ||
|
||
if `grep "$pwd.*\.*w.*\" $DATFILES 2>&1 >/dev/null && echo 1` ; then | ||
echo -e "257 \"$pwd/$parm1\" new directory created.\r" | ||
echo -e "$pwd/$parm1/\t[drwx]" | ssed 's!//*!/!g' >> $DATFILES | ||
else | ||
echo -e "550 $parm1: Permission denied.\r" | ||
fi | ||
|
||
fi | ||
;; | ||
RMD* ) | ||
if [ `echo "$parm1" | grep ^/ >/dev/null && echo 1` ]; then | ||
|
||
if [ `cat $DATFILES | ssed -e 's!/.*/$!/!' | grep "$parm1.*\[.*w.*\]" 2>&1 | ||
>/dev/null && echo 1` ]; then | ||
echo -e "257 \"$parm1\" directory deleted.\r" | ||
#echo -e "$parm1/\t[drwx]" | ssed 's!//*!/!g' >> $DATFILES | ||
else | ||
echo -e "550 $parm1: Permission denied.\r" | ||
fi | ||
else | ||
|
||
if [ `grep "$pwd.*\[.*w.*\]" $DATFILES 2>&1 >/dev/null && echo 1` ]; then | ||
echo -e "257 \"$pwd/$parm1\" directory deleted.\r" | ||
#echo -e "$pwd/$parm1/\t[drwx]" | ssed 's!//*!/!g' >> $DATFILES | ||
else | ||
echo -e "550 $parm1: Permission denied.\r" | ||
fi | ||
fi | ||
;; | ||
PWD* ) | ||
echo -e "257 \"$pwd\" is current directory.\r" | ||
;; | ||
LS* ) | ||
if [ `grep "$parm1" $DATFILES 2>&1 >/dev/null && echo 1` ]; then | ||
|
||
if [ `grep "$pwd/$parm1.*\[.*r.*\]" $DATFILES 2>&1 >/dev/null && echo | ||
1` ]; then | ||
echo -e "150 Opening ASCII mode data connection for /bin/ls.\r" | ||
if $passive -eq 1; then | ||
#echo -e "hallo\r" | nc -w 1 -l -p $dataport | ||
sleep 6 | ||
echo -e "425 Can't build data connection: Connection Timeout\r" | ||
else | ||
mode data connection for file list.\r" | ||
echo -e "425 Can't build data connection: Connection refused\r" | ||
fi | ||
else | ||
echo -e "550 $parm1: Permission denied.\r" | ||
fi | ||
|
||
else | ||
|
||
echo -e "550 $parm1: No such file or directory\r" | ||
|
||
fi | ||
;; | ||
PASV* ) | ||
echo -e "227 Entering Passive Mode (192,168,1,2,165,53)\r" | ||
passive=1 | ||
dataport=42293 | ||
;; | ||
TYPE*) | ||
echo -e "200 Type set to $parm1.\r" | ||
type=$parm1 | ||
;; | ||
STAT* ) | ||
echo -e "Connected to $HOST.$DOMAIN\r" | ||
echo -e "Type: $type, Verbose: On ; Bell: Off ; Prompting: On ; Globbing: On " | ||
echo -e "Debugging: Off ; Hash mark printing: Off " | ||
echo -e "FTP> " | ||
;; | ||
* ) | ||
echo -e "500 '$incmd': command not understood.\r" | ||
;; | ||
esac | ||
done | ||
|
Oops, something went wrong.