├── codes
    ├── ex1.py
    ├── ex5.py
    ├── ex2.py
    ├── ex6.py
    ├── ex4.py
    └── ex7.py
├── examples
    ├── struct_example.py
    ├── icmp_server.py
    ├── wordlist_reader.py
    ├── argparse_example.py
    ├── flask_service.py
    ├── socket_client.py
    ├── nmap_handler.py
    ├── socket_server.py
    ├── telnet_cracker.py
    └── interactive_nmap.py
└── README.md


/codes/ex1.py:
--------------------------------------------------------------------------------
1 | import sys
2 | 
3 | if __name__ == "__main__":
4 |     if len(sys.argv) < 2:
5 |         print "[*] Usage: {} <parameter>".format(__file__)
6 |     else:
7 |         print "[*] {}".format(sys.argv[1])


--------------------------------------------------------------------------------
/codes/ex5.py:
--------------------------------------------------------------------------------
1 | import socket
2 | 
3 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
4 | sock.bind(('127.0.0.1', 8000))
5 | sock.listen(5)
6 | 
7 | connection = sock.accept()
8 | import pdb
9 | pdb.set_trace()


--------------------------------------------------------------------------------
/examples/struct_example.py:
--------------------------------------------------------------------------------
1 | import struct
2 | 
3 | buffer_data = 'A' * 147
4 | eip_address = struct.pack("<I", 0x40041d)
5 | nop_sled = '\x90' * 50
6 | shell_code = '\x90' * 120
7 | 
8 | exploit = buffer_data + eip_address + nop_sled + shell_code


--------------------------------------------------------------------------------
/codes/ex2.py:
--------------------------------------------------------------------------------
 1 | a = "ilk degisken"
 2 | b = "ikinci degisken"
 3 | c = 1
 4 | d = 3.1415926553979323846
 5 | 
 6 | e = ['a', 'b', 'c', 'd']
 7 | 
 8 | print "a={0}, b={1}, c={2}, d={3}".format(a, b, c, d)
 9 | 
10 | print "{} {} {} {}".format(*e)
11 | 
12 | print "merhaba {isim}".format(isim='ahmet')


--------------------------------------------------------------------------------
/examples/icmp_server.py:
--------------------------------------------------------------------------------
 1 | from scapy.all import ICMP, IP, Raw, send, sniff
 2 | 
 3 | 
 4 | def new_msg(msg):
 5 |     data = msg['Raw'].load
 6 |     if data.startswith("1337:"):
 7 |         print data[5:]
 8 | 
 9 | if __name__ == "__main__":
10 |     sniff(lfilter=lambda x: x.haslayer(Raw), filter="icmp and host 127.0.0.1", prn=lambda x: new_msg(x))


--------------------------------------------------------------------------------
/examples/wordlist_reader.py:
--------------------------------------------------------------------------------
 1 | def get_password(file_name):
 2 |     with open(file_name) as fp:
 3 |         while True:
 4 |             data = fp.readline()
 5 |             if not data:
 6 |                 break
 7 |             yield data
 8 | 
 9 | passwords = get_password('rockyou.txt')
10 | for password in passwords:
11 |     print password
12 | 


--------------------------------------------------------------------------------
/codes/ex6.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | 
 3 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 4 | server_address = ('localhost', 1337)
 5 | 
 6 | sock.connect(server_address)
 7 | 
 8 | data = ""
 9 | last_data = ""
10 | 
11 | while True:
12 |     last_data = sock.recv(1024)
13 |     if last_data:
14 |         data += last_data
15 |     else:
16 |         break
17 | 


--------------------------------------------------------------------------------
/examples/argparse_example.py:
--------------------------------------------------------------------------------
 1 | import argparse
 2 | import sys
 3 | 
 4 | if __name__ == "__main__":
 5 |     parser = argparse.ArgumentParser("tool", description="My Perfect Tool")
 6 |     parser.add_argument("--server", "-s", help="Run the server", action="store_true")
 7 |     parser.add_argument("--port", "-p", help="Set the server port number", type=int, default=8000)
 8 | 
 9 |     args = parser.parse_args()
10 | 
11 |     if len(sys.argv) == 1:
12 |         parser.print_help()
13 |     else:
14 |         pass


--------------------------------------------------------------------------------
/examples/flask_service.py:
--------------------------------------------------------------------------------
 1 | from flask import Flask, jsonify, request
 2 | 
 3 | app = Flask(__name__)
 4 | 
 5 | 
 6 | @app.route('/', methods=['GET', 'POST'])
 7 | def index():
 8 |     if request.method == 'POST':
 9 |         username = request.form.get('username', 'null')
10 |         password = request.form.get('password', 'null')
11 |         if username == 'root' and password == 'toor':
12 |             return jsonify({'msg': 'Welcome to secret panel'})
13 |         else:
14 |             return jsonify({'msg': 'Access denied'})
15 |     else:
16 |         return jsonify({'msg': 'Please login.'})
17 | 
18 | if __name__ == '__main__':
19 |     app.run(debug=True, port=8000)


--------------------------------------------------------------------------------
/examples/socket_client.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | 
 3 | wordlist = [('admin', '123456'), ('admin', 'admin'), ('root', 'toor')]
 4 | 
 5 | for username, password in wordlist:
 6 |     sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 7 |     server_address = ('localhost', 1337)
 8 | 
 9 |     sock.connect(server_address)
10 |     sock.recv(1024)
11 |     sock.send(username + "\n")
12 |     sock.recv(1024)
13 |     sock.send(password + "\n")
14 |     result = sock.recv(1024).strip()
15 | 
16 |     if "denied" in result:
17 |         print "[!] False, username = {0}, password = {1}".format(username, password)
18 |     else:
19 |         print "[*] True, username = {0}, password = {1}".format(username, password)
20 | 
21 |     sock.close()


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Python for hackers workshop
 2 | 
 3 | - environment
 4 |     - ipython
 5 |     - git
 6 |     - pdb
 7 |     - virtualenv
 8 | - system arguments
 9 | - sys, os lib
10 | - map, lambda, list comp, dict comp, generators
11 |     - example: wordlist reader
12 | - subprocess
13 |     - example: nmap handler
14 | - xml lib
15 |     - example: xml parse
16 | - argparse
17 | - struct
18 | - socket
19 |     - example: socket server
20 |     - example: socket client
21 | - threading
22 |     - example: multi-thread telnet cracker
23 | - flask
24 |     - example: flask web service
25 | - requests
26 |     - example: multi-thread api cracker
27 | - cmd
28 |     - example: interactive, multi-thread nmap handler
29 | - scapy
30 |     - example: data leak with icmp


--------------------------------------------------------------------------------
/codes/ex4.py:
--------------------------------------------------------------------------------
 1 | import subprocess
 2 | import sys
 3 | 
 4 | 
 5 | def get_password(file_name):
 6 |     with open(file_name) as fp:
 7 |         while True:
 8 |             data = fp.readline().strip()
 9 |             if not data:
10 |                 break
11 |             yield data
12 | 
13 | 
14 | def steghide_cracker(file_name, password):
15 |     steghide_cmd = ["steghide", "extract", "-sf", file_name, "-p", password]
16 |     process = subprocess.Popen(steghide_cmd, stdout=subprocess.PIPE)
17 |     result, _ = process.communicate()
18 |     if "extracted" in result:
19 |         print "[*] Password cracked: {}".format(password)
20 | 
21 | if __name__ == "__main__":
22 |     if len(sys.argv) < 3:
23 |         print "[*] Usage: {} <file_name> <wordlist>".format(__file__)
24 |     else:
25 |         file_name = sys.argv[1]
26 |         wordlist = sys.argv[2]
27 |         passwords = get_password(wordlist)
28 |         for password in passwords:
29 |             steghide_cracker(file_name, password)


--------------------------------------------------------------------------------
/examples/nmap_handler.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import subprocess
 3 | from xml.dom import minidom
 4 | 
 5 | 
 6 | def nmap_handler(host):
 7 |     nmap_params = ['nmap', '-sV', '-n', '--open', host, '-oX', '-']
 8 |     process = subprocess.Popen(nmap_params, stdout=subprocess.PIPE)
 9 |     result, _ = process.communicate()
10 |     return result
11 | 
12 | if __name__ == '__main__':
13 |     if len(sys.argv) < 2:
14 |         print "Usage: python {} <host>".format(__file__)
15 |     else:
16 |         result = nmap_handler(sys.argv[1])
17 |         xml = minidom.parseString(result)
18 |         ports = xml.lastChild.getElementsByTagName('port')
19 |         hosts = xml.lastChild.getElementsByTagName('hosts')[0]
20 |         host_status = "Up" if int(hosts.attributes['up'].value) else "Down"
21 |         print "[*] Host is {}".format(host_status)
22 |         for port in ports:
23 |             port_id = port.attributes['portid'].value
24 |             protocol = port.attributes['protocol'].value
25 |             print "[*] Open Port: {0:5} {1:5}".format(port_id, protocol)


--------------------------------------------------------------------------------
/examples/socket_server.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | 
 3 | credentials = ["root:123456", "root:toor", "admin:123456"]
 4 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 5 | server_address = ('localhost', 1337)
 6 | sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
 7 | sock.bind(server_address)
 8 | sock.listen(5)
 9 | 
10 | 
11 | while True:
12 |     connection, client_address = sock.accept()
13 |     print "[*] New connection from {0}:{1}".format(*client_address)
14 |     try:
15 |         connection.send("Username: ")
16 |         username = connection.recv(32).strip()
17 |         connection.send("Password: ")
18 |         password = connection.recv(32).strip()
19 |         if "{0}:{1}".format(username, password) in credentials:
20 |             connection.send("*"*50 + "\n")
21 |             connection.send("Welcome to really secret control panel.\n")
22 |             connection.send("*"*50 + "\n")
23 |             while True:
24 |                 connection.send("$ ")
25 |                 data = connection.recv(1024).strip()
26 |                 if data == "exit":
27 |                     break
28 |                 connection.send("Command not found '{}'\n".format(data))
29 |         else:
30 |             connection.send("Access denied.")
31 |     except socket.error:
32 |         print "An error occured with client ip={0}, port={1}".format(*client_address)
33 | 
34 |     finally:
35 |         connection.close()


--------------------------------------------------------------------------------
/codes/ex7.py:
--------------------------------------------------------------------------------
 1 | from threading import Thread, Lock
 2 | import Queue
 3 | import requests
 4 | 
 5 | 
 6 | def cracker(tn, q):
 7 |     while not exit_flag:
 8 |         queue_lock.acquire()
 9 |         if not work_queue.empty():
10 |             u, p = q.get()
11 |             data = {'username': u, 'password': p}
12 |             response = requests.post("http://localhost:8000", data)
13 |             if "denied" not in response.json()['msg']:
14 |                 cracked.append((u, p, tn))
15 |             queue_lock.release()
16 |         else:
17 |             queue_lock.release()
18 | 
19 | 
20 | class CrackerThread(Thread):
21 |     def __init__(self, thread_id, name, q):
22 |         Thread.__init__(self)
23 |         self.id = thread_id
24 |         self.name = name
25 |         self.q = q
26 | 
27 |     def run(self):
28 |         cracker(self.name, self.q)
29 | 
30 | if __name__ == "__main__":
31 |     exit_flag = 0
32 |     queue_lock = Lock()
33 |     work_queue = Queue.Queue()
34 |     threads = []
35 |     thread_number = 5
36 | 
37 |     passwords = [("root", "1234"), ("root", "123456"), ("root", "toor")]
38 |     cracked = []
39 | 
40 |     queue_lock.acquire()
41 |     for password in passwords:
42 |         work_queue.put(password)
43 |     queue_lock.release()
44 | 
45 |     for i in range(thread_number):
46 |         thread_name = "Thread-{}".format(i)
47 |         thread = CrackerThread(i, thread_name, work_queue)
48 |         thread.start()
49 |         threads.append(thread)
50 | 
51 |     while not work_queue.empty():
52 |         if cracked:
53 |             exit_flag = 1
54 | 
55 |     exit_flag = 1
56 |     for thread in threads:
57 |         thread.join()
58 | 
59 |     if cracked:
60 |         for username, password, thread_name in cracked:
61 |             print "[*] username = {0:8} | password = {1:8} | {2:8}".format(username, password, thread_name)
62 |     else:
63 |         print "[!] Not cracked."


--------------------------------------------------------------------------------
/examples/telnet_cracker.py:
--------------------------------------------------------------------------------
 1 | from threading import Thread, Lock
 2 | import Queue
 3 | import socket
 4 | 
 5 | 
 6 | def cracker(tn, q):
 7 |     while not exit_flag:
 8 |         queue_lock.acquire()
 9 |         if not work_queue.empty():
10 |             u, p = q.get()
11 | 
12 |             sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
13 |             server_address = ('localhost', 1337)
14 | 
15 |             sock.connect(server_address)
16 |             sock.recv(1024)
17 |             sock.send(u + "\n")
18 |             sock.recv(1024)
19 |             sock.send(p + "\n")
20 |             result = sock.recv(1024).strip()
21 | 
22 |             if "denied" not in result:
23 |                 cracked.append((u, p, tn))
24 |                 sock.send("exit\n")
25 | 
26 |             sock.close()
27 |             queue_lock.release()
28 |         else:
29 |             queue_lock.release()
30 | 
31 | 
32 | class CrackerThread(Thread):
33 |     def __init__(self, thread_id, name, q):
34 |         Thread.__init__(self)
35 |         self.id = thread_id
36 |         self.name = name
37 |         self.q = q
38 | 
39 |     def run(self):
40 |         cracker(self.name, self.q)
41 | 
42 | if __name__ == "__main__":
43 |     exit_flag = 0
44 |     queue_lock = Lock()
45 |     work_queue = Queue.Queue()
46 |     threads = []
47 |     thread_number = 5
48 | 
49 |     passwords = [("root", "1234"), ("root", "123456"), ("root", "toor")]
50 |     cracked = []
51 | 
52 |     queue_lock.acquire()
53 |     for password in passwords:
54 |         work_queue.put(password)
55 |     queue_lock.release()
56 | 
57 |     for i in range(thread_number):
58 |         thread_name = "Thread-{}".format(i)
59 |         thread = CrackerThread(i, thread_name, work_queue)
60 |         thread.start()
61 |         threads.append(thread)
62 | 
63 |     while not work_queue.empty():
64 |         if cracked:
65 |             exit_flag = 1
66 | 
67 |     exit_flag = 1
68 |     for thread in threads:
69 |         thread.join()
70 | 
71 |     if cracked:
72 |         for username, password, thread_name in cracked:
73 |             print "[*] username = {0:8} | password = {1:8} | {2:8}".format(username, password, thread_name)
74 |     else:
75 |         print "[!] Not cracked."


--------------------------------------------------------------------------------
/examples/interactive_nmap.py:
--------------------------------------------------------------------------------
 1 | import cmd
 2 | import threading
 3 | import subprocess
 4 | from xml.dom import minidom
 5 | 
 6 | 
 7 | class WorkerThread(threading.Thread):
 8 |     def __init__(self, name, host):
 9 |         threading.Thread.__init__(self)
10 |         self.name = name
11 |         self.host = host
12 |         self.result = None
13 | 
14 |     def run(self):
15 |         nmap_params = ['nmap', '-sV', '-n', '--open', self.host, '-oX', '-']
16 |         process = subprocess.Popen(nmap_params, stdout=subprocess.PIPE)
17 |         self.result, _ = process.communicate()
18 | 
19 | 
20 | class Console(cmd.Cmd):
21 |     def __init__(self):
22 |         cmd.Cmd.__init__(self)
23 |         self.prompt = "$> "
24 |         self.work_count = 0
25 |         self.workers = {}
26 | 
27 |     def do_exit(self, line):
28 |         alive_threads = [(name, worker) for name, worker in self.workers.items() if worker.isAlive()]
29 |         for name, worker in alive_threads:
30 |             print "[!] {0:10} waiting.".format(name)
31 |             worker.join()
32 | 
33 |     def do_EOF(self, line):
34 |         print
35 |         self.do_exit(line)
36 |         return True
37 | 
38 |     def do_quit(self, line):
39 |         self.do_exit(line)
40 | 
41 |     def emptyline(self):
42 |         pass
43 | 
44 |     def do_scan(self, line):
45 |         name = "worker{}".format(self.work_count)
46 |         worker = WorkerThread(name, line)
47 |         worker.start()
48 |         self.work_count += 1
49 |         self.workers[name] = worker
50 | 
51 |     def do_status(self, line):
52 |         for name, worker in self.workers.items():
53 |             status = "COMPLETED" if worker.result else "RUNNING"
54 |             print "[*] {0:10} : {1:20} : {2:10}".format(name, worker.host, status)
55 | 
56 |     def do_result(self, line):
57 |         if line in self.workers:
58 |             worker = self.workers[line]
59 |             if worker.result:
60 |                 xml = minidom.parseString(worker.result)
61 |                 ports = xml.lastChild.getElementsByTagName('port')
62 |                 hosts = xml.lastChild.getElementsByTagName('hosts')[0]
63 |                 host_status = "Up" if int(hosts.attributes['up'].value) else "Down"
64 |                 print "[*] Host is {}".format(host_status)
65 |                 for port in ports:
66 |                     port_id = port.attributes['portid'].value
67 |                     protocol = port.attributes['protocol'].value
68 |                     print "[*] Open Port: {0:5} {1:5}".format(port_id, protocol)
69 |             else:
70 |                 print "[*] Worker is running."
71 | 
72 |     def complete_result(self, text, line, begidx, endidx):
73 |         if not text:
74 |             completions = [name for name, worker in self.workers.items()]
75 |         else:
76 |             completions = [name for name, worker in self.workers.items() if name.startswith(text)]
77 |         return completions
78 | 
79 | if __name__ == "__main__":
80 |     console = Console()
81 |     console.cmdloop()


--------------------------------------------------------------------------------