What you need to run this Basic HTTP Requests lab:
While you could probably do this better on a Kali Linux box,, I'm going to document this for a Windows platform running with an installation of Cygwin and Python 3.0. This lab can be run on a real or virtual machine.Purpose
Learn a Python networking Basic HTTP Requests methods and techniques.Using HEAD to Grab HTTP Banners
In a Cygwin Terminal window, and CD to where you are saving your python files and create a new file httpRequest.pycat > httpRequest.py
# python3 script to make a HTTP REquest
then <cntr>d.
This will save a file. you can then open it in Notepad++ or VIM
import socket
socket.setdefaulttimeout(2)
s = socket.socket()
target = input('Input Target host URL: (like www.ccsf.edu):')
tport = 80
s.connect((target, tport))
s.send(('HEAD / HTTP/1.1\nHost: ' + target + '\n\n').encode())
print(s.recv(1024).decode())
s.close()
Explanation
The first line imports the "socket" library, which contains networking functions.The second line is to set a time out, so you don't hang if there is an issue with the connection
The third line prompts user for target URL
The forth line selects the target port
The fifth makes the connection request
The sixth line sends the HTTP header request
The seventh receives data from the server and prints it, up to a maximum of 1024 characters.
The eighth line closes the connection.
Running the HTTP Request python script
In the Cygwin Terminal window, execute this command:python httpRequest.py
You should see an HTTP banner request, as shown below:
Grabbing the Attack Server Banner
Use your program to grab the banner from attackdirect.samsclass.info. It should show a banner like that shown below:Capture this image and let me know what the server information is. Turn in to Jupiter
In another tab, open Sam's blog to just click on his form which I don't have working here... but will soon - https://samsclass.info/124/proj14/p2-http.htm
On his password form, about 1/3 down the page, enter a username of "a" and a password of "b"
Now run Wireshark, and start it sniffing traffic. At the top left of the Wireshark window, in the Filter box, type http and press Enter. (I know we have not really learned about WireShark, so we will walk through this in class)
Now gor back to Sam's blog and re=enter the User ID and Password form. Again log in with a username of "a" and a password of "b"
In Wireshark, stop the capture.
Find the packet in Wireshark with an "Info" column of "POST /python/login1.php HTTP/1.1", as shown below:
Right-click the "POST /python/login1.php HTTP/1.1" line and click "Follow TCP Stream".
The POST request appears, as shown below. The red text shows the HTTP request your browser sent to the server, and the blue text shows the server's reply.
Making a Python Login Script
In your Cygwin window copy the file you just created from httpRequest.py to httpPost.pynow you can open this in notepad++ or even VIM... but I would go with notepad++
You are going to PASTE some text from WireShark here. Go back to the WireShark TCP trace report dialog.
With the mouse, highlight the entire red request, right-click it, and click Copy, as shown below.
PASTE this into your Notepad++ file as show below
Now make the following edits:
Enclose the entire request in triple " " " quotation marks, and add "req = " to the start of it, as shown below. The text turns another color, maybe orange? --it is a multi-line text string, a handy Python feature.
Now make sure you also have code that looks like this:
import socket
socket.setdefaulttimeout(2)
s = socket.socket()
s.connect(("attackdirect.samsclass.info", 80))
s.send((req).encode())
print(s.recv(1024).decode())
s.close()
Note: to run this in Python 2.x edit the following lines
s.send((req))
print(s.recv(1024))
Running the Login Script
If you run this in python3, you still get an error, but that is because of the format that is returned with Encrypted data... and probably just that we don't have the encode/decode formatting right. If you run this with the python2.7 edits, it works, but returns some data that is not human readable.
in the wireshark TCP trace data that you pasted into the python script, delete the following line:
Accept-Encoding: gzip, deflate
This lets the data get returned with out gzip'ing it. Save your python script to a new name httpPost2.py (so you can see the before and after) and rerun it.
Running the Login Script Again
Making the Username and Password Variable
Now you will want to copy your httpPost.py to httpPostPass.py, and make the following edits
You will have some POST string that ends like this:
...
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
u=a&p=b"""
The Post parameter/value pairs donpt always have to be in the same order, and I have seen it chage, and the web server parameters are changed. In this case, the "Content-Length: 7" where the "7" is referring to the langth of the UserID and Password that is getting passed in "u=a&p=b". This would change if the userID and password was changed from say... u=bob&p=pa$$w0rd then the Length would change from 7 to 16. What is going on is that the "u=" and the "&p=" is = to 5 characters, plus the additional length of the UserID and Password character count.
Delete the the "7" and userID and Password line, to make it look like this:
...
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: """
Then add the following code to add variables for user, pw, and length
user = input("Username: ")
pw = input("Password: ")
length = len(user) + len(pw) + 5
print(length)
Then edit the s.send((req),encode())To look like the following, where you are adding in your variables
s.send((req + str(length) + '\n\n' + "u=" + user + "&p=" + pw + '\n').encode())
and the result will be like the following:
Troubleshooting
If your script doesn't work, use Wireshark to capture the request so you can see mistakes in it.
Awesome... You now have a Python HTTP Post password script
Now run the login script again, with the correct username of root and a password of passwordYou should see the message "Successful login!", as shown below:
For an example of this code, see jimTheSTEAMClown github Python-CyberSecurity-Code
Source: Sam Bowne, and AWESOME Cyber Security Instructor. I met him at the 2017 WIT Conference, and had to give him a hug, for all the cool Cyber Labs he has published on his site https://samsclass.info/ specifically the link to his WITC class Python Scripting for Cyber Security Professionals
No comments:
Post a Comment