C Very new and need some advice, personal scripts Cyber Sec

Hello all :)

I am a Cyber Sec student, working on CEH (Certified Ethical Hacker) and CCNA (Cisco networking). After several books and many many tutorials, I found that being motivated to create something is the best teacher when it comes to programming.
So I was hoping to write some scripts to personalize/automate my system and Hacking. I would like to build a script that starts while FreeBSD is booting and captures all network activity coming from the network tap (trying to detect a rootkit/boot sector malware), etc... Then a script for auto enumeration/scanning of targets and self (if that makes sense).

My question is, should I attempt to do this in my tcsh or C/python. I would like to have a program (eventually) that would act like metasploit/IDS/IPS/LiveCD all rolled into one. Mind you, I am still very new and something like this would take a career-lifetime(it feels like atm anyway) to perfect, but just like any project and learning experience, it's better to try and just see what happens. Personally I think it will be the best reality check / teacher I could find at this point.

Sorry for the blabbing, If anyone could voice an opinion(anything that comes to mind from anyone idc, just really curious to hear someone else thoughts) or post some scholarly articles I would be forever indebted. Thanks

This is my level of skill and what I have so far, at the moment I feel it's more like pseudo code for C in the future:
(can also be viewed at a popular code pasting site (don't know if I'm allowed to name it) under fcC7huZ9)
Code:
import pcap,dpkt
import socket
import os

def capture():
    dev= pcap.lookupdev()
    for ts, pkt in pcap.pcap(name=dev, snaplen=65535, promisc=True, immediate=False):
        eth = dpkt.ethernet.Ethernet(pkt)
        if eth.type!=2048: #! if ipv6
            ip = eth.data
            typepack = eth.type
            try:
                dst_ip_6= socket.inet_ntop(socket.AF_INET6, ip.dst )
            except AttributeError:
                continue
        else:
            ip = eth.data
            tcp = ip.data
            typepack = eth.type
            try:
                src_ip = socket.inet_ntoa(ip.src)
                dst_ip = socket.inet_ntoa(ip.dst)
           
                if dst_ip == '10.0.0.2':
                    with open('//home//mrfree//ipLog.txt','a') as log:
                        log.write('Session:%s:%s,%s\n'%(src_ip,tcp.dport,ts))
                        if tcp.dport < 1028:
                                log.write('Out of bounds connection attempt, Blocking %s \n'%(src_ip))
                                os.popen("iptables -I INPUT -s %s -j DROP"%(src_ip))
                                os.popen("iptables -I OUTPUT -d %s -j DROP"%(src_ip))
                        with open('//home//mrfree//filters.txt','r') as filters:
                            filters = filters.read()
                        if filters in tcp.data:
                            log.write('Attempted Shell connection, Blocking %s \n'%(src_ip))
                            os.popen("iptables -I INPUT -s %s -j DROP"%(src_ip))
                            os.popen("iptables -I OUTPUT -d %s -j DROP"%(src_ip))
                       
                       
            except AttributeError,TypeError:
                continue


capture()
 
Here is a short code review about the code you posted. I hope this helps you a little bit.

  • Double slashes // in your path names. Why?
  • You ignore the return value of os.popen. Why use it at all then?
  • Use the subprocess module instead of os.popen.
  • Don't use string concatenation or formatting for building command lines. subprocess should help here as well.
  • Don't wrap your whole code in a giant try-except-block. Ignoring AttributeError is bad. Use an if with hasattr if you are unsure if an object has a specific attribute or getattr with default values.
  • Wrap your capture() in the last line in if __name__ == "__main__": to prevent executing the function should you ever import your code in another module.
  • iptables does not exist on FreeBSD AFAIK.
 
Thank you for posting, this was a huge help

I thought // was used to allow for backslashes, if not, it would comment out anything adjacent? I just added os.popen trying to block an IP address in Kali Linux. I wasn't sure what to do there. Thanks again for the post

May I pm you, I’ve been warned about my writing style and fear I may be banned if I continue in the threads?

Edit: I looked at some python docs, and I have no idea why I’ve been using // Thanks.
 
You can pm me if you want, but no guarantees... ;)

The string you give os.popen is given verbatim to the shell and evaluated by it. So you need to be extra careful what you pass it. Maybe also take a look at popen(3), fork(2) and execv(3). This is for the C library functions, but Python uses them underneath and the subprocess module is a nice abstraction over them.
 
Back
Top