I tried writing this with fewer lines of code using a list of passwords and another attempt with IGNORECASE but neither worked or worked with 100% accuracy.  Rather than spin my wheels, I just went this route with elif.  

    We're recursively searching inside of Word docx files for either:  password, Password, or PASSWORD

    When we get a match, we print the document location and the line containing our string match. 

    Storing passwords in a Word document is a bad practice -- this script shows you why it's a bad practice and why you should use a password manager.

    #!/usr/bin/python
    import os
    import re
    import docx
    document_list = []
    for path, subdirs, files in os.walk(r"./"):
        for name in files:
            if os.path.splitext(os.path.join(path, name))[1] == ".docx":
                document_list.append(os.path.join(path, name))
    for document_path in document_list:
        document = docx.Document(document_path)
        for paragraph in document.paragraphs:
            if "password" in paragraph.text:
                print(document_path+':'+paragraph.text)
            elif "Password" in paragraph.text:
                print(document_path+':'+paragraph.text)
            elif "PASSWORD" in paragraph.text:
                print(document_path+':'+paragraph.text)


    I have a Raspberry Pi implant that I can drop on a network.  When connected, it will grab an address from DHCP but I won't know its address.  I could have it open up an SSH connection but I don't want a persistent outbound connection.  What I would like is for it to get its internal address, ping something, and relay its IP back to me.  Something as simple as a single GET request hitting the logs on a server from which I can parse it out.  

    The supposed logical method is to use:  socket.gethostbyname(socket.gethostname())

    The problem with that method in most modern nix installs is the response:  '127.0.0.1'


    A common practice I see from time to time that makes me cringe -- documents titled "passwords" which contains passwords.  It's fairly simple to hunt those down though.  Files containing sensitive data such as social security numbers and credit card numbers are a harder due to not so obvious filenames and the numeric formatting possibilities.  I was originally intending to go with two different scripts but ended up combing them.

    This test script searches recursively for .txt files, hunts for both social security numbers and credit card numbers, with dashed and non-dashed variations, and then it spits out the number with the corresponding filename and path.    

    #!/usr/bin/python3
    import re
    import sys
    import glob
    folder_path = './'
    for filename in glob.iglob(folder_path + '**/*.txt', recursive=True):
        file = open(filename, 'r',errors='ignore')
        for line in file:
            if re.match(r'\b(?:\d[ -]*?){13,16}\b', line):
                sys.stdout.write(filename+':'+line)
            elif re.match(r'^\d{3}-?\d{2}-?\d{4}$|^XXX-XX-XXXX$', line):
                sys.stdout.write(filename+':'+line)


    In order to defend against attacks, you have to understand the attack vectors and weigh the risks.  A meterpreter shell generated into an .exe file with msfvenom won't make it through email and if it somehow did manage to make its way to a desktop, it would immediately get gobbled up by the antivirus software.  I know this for a fact because I've generated said payload and dropped it onto a desktop.  I'm not worried about .exe files.  On the other hand, I consider Microsoft Office documents a potential risk.  

    I can block .exe files but I cannot block Microsoft Office documents without angering the masses.  With that in mind, what's the exposure?  Depends on the users, no?  The sender is also a factor. 


    While playing around with a couple of other scripts, I got this idea that I wanted to incorporate extracting data from PDFs.  Nothing fancy here, just a recursive search for PDFs, we're extracting the text, and we're writing it out to a text file:  output.txt

    #!/usr/bin/python3
    import glob
    import PyPDF2
    folder_path = './'
    for filename in glob.iglob(folder_path + '**/*.pdf', recursive=True):
        file = open(filename, 'rb')
        pdfReader = PyPDF2.PdfFileReader(file, strict=False)
        pageObj = pdfReader.getPage(0)
        f1=open('./output.txt', 'a+')
        f1.write(pageObj.extractText())
        f1.close()


    I attended Cactuscon this past weekend and there was a talk on cracking Active Directory hashes.  When I entered the room (late), it was standing room only.  For a few minutes, I listened in but eventually ended up leaving because the gist of the talk is something I already practice.  Essentially, build a cracking machine, dump the Active Directory hashes, and check for weak passwords.

    My cracking machine is a Dell Precision 3600 Series workstation with an NVidia 8GB GPU.  Without the GPU, using my 400MB wordlist, it takes approximately 2.5 hours to exhaust the list.  With the GPU, it takes 7 minutes.  It's a modest cracking machine and its purpose isn't to win any contests.  I just want to get through a reasonable wordlist in a reasonable amount of time.  This meets that goal.  


    © 2020 sevenlayers.com