RedTeam Script Examples (EDU) by Volkan Sah - simple codings for 'Offensive Security' (updated 5/2024)
This Black Python script example is a powerful tool to monitor traffic between clients and malicious .onion sites. It is not a game, and it is intended for use by security professionals and developers who know how to handle it safely.
Be careful! For this example, we use Python's Scapy library to listen with sensors and identify connections accessing a malicious .onion site. With Scapy, we can capture, dissect, and forge network packets.
Warning
This Black Python script example is intended for use by security professionals and developers only. It is not intended for malicious purposes, and I cannot be held responsible for any misuse of this code. If you use this tool for illegal or unethical purposes, you alone will be held responsible for any consequences that may arise, including legal and ethical issues.
Important
Please note that there are pre-steps (e.g., SoCat) you must complete before using this script. However, I will not disclose them to prevent malicious individuals from using this tool. If you choose to use it anyway, you may harm yourself and potentially face legal consequences from law enforcement.
This sample code captures packets communicating with a specific .onion address, records their timestamps and source IP address (if available), and exports them to a CSV file.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# ,---. ,--. ,--. ,--. ,--. ,--. by Nemesis Mr.Chess #
# ' .-' | ,---. ,---. ,--.--.| | ,---. ,---.| |,-. ,---. | '--' | ,---. ,--,--,--. ,---. #
# `. `-. | .-. || .-. :| .--'| || .-. || .--'| / ( .-' | .--. || .-. || || .-. : #
# .-' || | | |\ --.| | | |' '-' '\ `--.| \ \ .-' `)| | | |' '-' '| | | |\ --. #
# `-----' `--' `--' `----'`--' `--' `---' `---'`--'`--'`----' `--' `--' `---' `--`--`--' `----' #
# Will get all Bastards! #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
from scapy.all import *
import csv
import time
import re
onion_address = "INSERT .ONION ADDRESS HERE" # .onion address you want to monitor
packet_list = []
def packet_capture(packet):
if packet.haslayer(IP):
if packet[IP].dst == onion_address or packet[IP].src == onion_address:
timestamp = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(packet.time))
src_ip = packet[IP].src
dst_ip = packet[IP].dst
protocol = packet[IP].proto
packet_list.append([timestamp, src_ip, dst_ip, protocol])
while True:
sniff(prn=packet_capture, filter=f"host {onion_address}", count=10)
# Write packet data to CSV file
with open('onion_communication.csv', mode='w', newline='') as file:
writer = csv.writer(file)
writer.writerow(['Timestamp', 'Source IP', 'Destination IP', 'Protocol'])
for row in packet_list:
writer.writerow(row)
# Check destination
for pkt in packet_list:
ip_src = pkt[1]
ip_dst = pkt[2]
if re.match(r'127\.0\.0\.1:(8080|8081|8083)', ip_dst):
print(f'Potential intruder detected: {ip_src} -> {ip_dst}')
# Reset packet_list
packet_list = []
# Add a delay or other logic as needed
time.sleep(60) # Wait for 1 minute before capturing the next batch of packets
-
Importing Libraries: The script starts by importing necessary libraries from Scapy, as well as CSV, time, and regular expressions (re) modules.
-
Setting the Onion Address: Replace "INSERT .ONION ADDRESS HERE" with the .onion address you want to monitor.
-
Packet Capture Function: -- The packet_capture function is defined to capture packets. -- It checks if the packet has an IP layer. -- If the packet’s source or destination matches the specified .onion address, it extracts the timestamp, source IP, destination IP, and protocol. -- This information is appended to the packet_list.
-
Sniffing Packets: -- The sniff function from Scapy is used to continuously capture packets. -- The packets are filtered to match the specified .onion address and processed by the packet_capture function.
-
Writing to CSV: -- Captured packet data is written to a CSV file named onion_communication.csv every time 10 packets are captured. -- The CSV file includes columns for Timestamp, Source IP, Destination IP, and Protocol.
-
Checking for Intruders: -- The script checks if any captured packets are communicating with specific local ports (127.0.0.1:8080, 127.0.0.1:8081, 127.0.0.1:8083). -- If such communication is detected, it prints a message indicating a potential intruder.
-
Resetting and Delaying: -- The packet_list is reset after each batch of 10 packets. -- The script waits for 1 minute before capturing the next batch of packets.
If you want to track all incoming traffic to bad links in a domain list, you can modify the script as follows:
from scapy.all import *
bad_domains = set(line.strip() for line in open('domainlist.txt'))
def is_bad_domain(ip):
# Extract the domain from the IP address
domain = str(ip).split('.')[-2] + '.' + str(ip).split('.')[-1]
return domain in bad_domains
def handle_packet(packet):
# Check if the packet is a SOCKS5 packet
if packet.haslayer(Raw) and b'\x05\x01\x00' in packet[Raw].load:
# Extract the destination IP address
ip = packet[IP].dst
# Check if the destination IP is a bad domain
if is_bad_domain(ip):
print("Bad domain found: {}".format(ip))
# Fork the packet to local ports
# (insert fork code here)
# Start capturing packets on the network interface
sniff(filter="tcp", prn=handle_packet)
This modification reads a file named domainlist.txt containing a list of bad domains, and creates a set of those domains. The is_bad_domain() function checks if a given IP address belongs to one of the bad domains by extracting the domain from the IP address and checking if it's in the set of bad domains.
- Inside the handle_packet() function, after identifying a SOCKS5 packet and extracting the destination IP, we call is_bad_domain() to check if the IP belongs to a bad domain. If it does, a message indicating the bad domain was found is printed.
Note that this is a basic example, and in a real-world scenario, additional checks and measures might be necessary to handle different types of traffic and avoid false positives.
This script example is for educational purposes only and should not be used for any illegal, unethical, or malicious activities. Always ensure that you have proper authorization before conducting any security testing or penetration testing on any website or system. The creator of this script is not responsible for any misuse or damages caused by using this script.
Note
Issues with this script are not accepted as it is intended for educational purposes only and not for production use.
- If you appreciate my work, please consider becoming a 'Sponsor', giving a ⭐ to my projects, or following me.
This project is licensed under the MIT - see the LICENSE file for details