From 552c4968907be1c3888481d47aedf10d15d6d7e9 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 6 Jul 2018 13:30:54 +0700 Subject: [PATCH] Update Profile --- README.md | 10 +++++----- e2modrewrite.py | 12 +++++++++--- profile/bing.txt | 3 --- profile/comfoo.txt | 5 ----- profile/fiesta.txt | 7 ------- profile/havex.txt | 3 --- profile/microsoftupdate.txt | 3 --- profile/pitty_tiger.txt | 5 ----- profile/safebrowsing.txt | 8 -------- profile/zeus.txt | 7 ------- 10 files changed, 14 insertions(+), 49 deletions(-) mode change 100644 => 100755 e2modrewrite.py delete mode 100644 profile/bing.txt delete mode 100644 profile/comfoo.txt delete mode 100644 profile/fiesta.txt delete mode 100644 profile/havex.txt delete mode 100644 profile/microsoftupdate.txt delete mode 100644 profile/pitty_tiger.txt delete mode 100644 profile/safebrowsing.txt delete mode 100644 profile/zeus.txt diff --git a/README.md b/README.md index af95c1d..c07afb1 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ __Updates and Features__ ## Example ``` -$ python e2modrewrite.py -i profile/comfoo.txt -c 192.168.1.1 -d https://google.com +$ python e2modrewrite.py -i profiles/normal/microsoftupdate.profile -c 192.168.1.11 -d https://google.com #### Save the following as .htaccess in the root web directory ######################################## @@ -26,14 +26,14 @@ RewriteEngine On ## Uncomment and adjust as needed #RewriteCond %{REQUEST_URI} ^/css/style1.css?$ #RewriteCond %{HTTP_USER_AGENT} ^$ -#RewriteRule ^.*$ "http://192.168.1.1/download/po" [P,L] +#RewriteRule ^.*$ "http://192.168.1.11/download/po" [P,L] ## Profile URIs -RewriteCond %{REQUEST_URI} ^/(include/template/isx.php|wp06/wp-includes/po.php|wp08/wp-includes/dtcla.php|modules/mod_search.php|blog/wp-includes/pomo/src.php|includes/phpmailer/class.pop3.php)/?$ +RewriteCond %{REQUEST_URI} ^/(c/msdownload/update/others/2013/11/9946821_f5082b842c8abc5c47cfc68f98340ec384b69fa9.cab|c/msdownload/update/software/ftpk/2013/11/ie-spelling-nl_3576e6450352dfc0c0892bf62384e75a56d780a7.msu)/?$ ## Profile UserAgent -RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Windows;\ U;\ MSIE\ 7\.0;\ Windows\ NT\ 5\.2\)\ Java/1\.5\.0_08?$ -RewriteRule ^.*$ http://192.168.1.1%{REQUEST_URI} [P] +RewriteCond %{HTTP_USER_AGENT} ^Windows-Update-Agent/10\.0\.10011\.16384\ Client-Protocol/1\.40?$ +RewriteRule ^.*$ http://192.168.1.11%{REQUEST_URI} [P] # Redirect all other traffic here RewriteRule ^.*$ https://google.com/? [L,R=302] diff --git a/e2modrewrite.py b/e2modrewrite.py old mode 100644 new mode 100755 index 4837677..ee77622 --- a/e2modrewrite.py +++ b/e2modrewrite.py @@ -62,10 +62,16 @@ RewriteRule ^.*$ {}/? [L,R=302] ######################################## ''' +ua_string = "set DefaultProfile" commProfile = open(args.inputfile, 'r') -cp_file = commProfile.read() +contents = commProfile.read() + +ua_start = contents.find(ua_string) + len(ua_string) +ua_end = contents.find("\n",ua_start) +ua_profile = contents[ua_start:ua_end] + commProfile.close() -profile = re.sub(r'(?m)^\#.*\n?', '', cp_file).strip('\n') +profile = re.sub(r'(?m)^\#.*\n?', '', ua_profile.lstrip()).strip('\n') uri_string = profile.split('|')[0] uri = uri_string.replace('\"','').replace(',','|').replace(',','|').strip('/') @@ -75,4 +81,4 @@ user_agent_string = profile.split('|')[1] user_agent = user_agent_string.replace(' ','\ ').replace('.','\.').replace('(','\(').replace(')','\)') rules = (htaccess_template.format(empireC2,uri,user_agent,empireC2,redirect)) -print rules +print rules \ No newline at end of file diff --git a/profile/bing.txt b/profile/bing.txt deleted file mode 100644 index a5c6773..0000000 --- a/profile/bing.txt +++ /dev/null @@ -1,3 +0,0 @@ -"/search?q=news&qs=n&form=QBLH,/search?q=health&qs=n&form=QBLH|Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko|Host:www.bing.com|Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" - -"Server:Microsoft-IIS/8.5|Cache-Control:private, max-age=0|Content-Type:text/html; charset=utf-8|Vary:Accept-Encoding" \ No newline at end of file diff --git a/profile/comfoo.txt b/profile/comfoo.txt deleted file mode 100644 index 9bbb268..0000000 --- a/profile/comfoo.txt +++ /dev/null @@ -1,5 +0,0 @@ -# Basic comfoo profile -# http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ -# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/comfoo.profile - -"/CWoNaJLBo/VTNeWw11212/|Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)|Keep-Alive:timeout=15, max=90|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*|Accept-Language:en-en|Connection:Keel-Alive|Cache-Control:no-cache" \ No newline at end of file diff --git a/profile/fiesta.txt b/profile/fiesta.txt deleted file mode 100644 index fff93f5..0000000 --- a/profile/fiesta.txt +++ /dev/null @@ -1,7 +0,0 @@ -# Fiesta Exploit Kit traffic profile -# http://malware-traffic-analysis.net/2014/04/05/index.html -# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/fiesta.profile - -/rmvk30g/|Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11|Acccept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 - -Server:Apache/2.2.15 (CentOS)|X-Powered-By:PHP/5.3.27|Content-Type:application/octet-stream|Connection:close \ No newline at end of file diff --git a/profile/havex.txt b/profile/havex.txt deleted file mode 100644 index 23b41bf..0000000 --- a/profile/havex.txt +++ /dev/null @@ -1,3 +0,0 @@ -"/include/template/isx.php,/wp06/wp-includes/po.php,/wp08/wp-includes/dtcla.php,/modules/mod_search.php,/blog/wp-includes/pomo/src.php,/includes/phpmailer/class.pop3.php|Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08|Referer:http://www.google.com|Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" - -"Server:Apache/2.2.26 (Unix)|X-Powered-By:PHP/5.3.28|Cache-Control:no-cache|Content-Type:text/html|Keep-Alive:timeout=3, max=100" diff --git a/profile/microsoftupdate.txt b/profile/microsoftupdate.txt deleted file mode 100644 index c87e2b1..0000000 --- a/profile/microsoftupdate.txt +++ /dev/null @@ -1,3 +0,0 @@ -"/c/msdownload/update/others/2016/12/29136388_,/c/msdownload/update/others/2016/12/3215234_|Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40|Host:download.windowsupdate.com|Accept: */*" - -"Content-Type:application/vnd.ms-cab-compressed|Server:Microsoft-IIS/8.5|MSRegion:N. America|Connection:keep-alive|X-Powered-By:ASP.NET" \ No newline at end of file diff --git a/profile/pitty_tiger.txt b/profile/pitty_tiger.txt deleted file mode 100644 index 542cd7b..0000000 --- a/profile/pitty_tiger.txt +++ /dev/null @@ -1,5 +0,0 @@ -# Basic Pitty Tiger RAT profile -# http://bitbucket.cassidiancybersecurity.com/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf -# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/pitty_tiger.profile - -"/FC001/JOHN|Microsoft Internet Explorer" \ No newline at end of file diff --git a/profile/safebrowsing.txt b/profile/safebrowsing.txt deleted file mode 100644 index 6fea215..0000000 --- a/profile/safebrowsing.txt +++ /dev/null @@ -1,8 +0,0 @@ -# -# Safebrowsing Comms profile -# https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign -# - -/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko|Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language:en-US,en;q=0.5|Accept-Encoding:gzip, deflate - -Content-Type:application/vnd.google.safebrowsing-chunk|X-Content-Type-Options:nosniff|Content-Encoding:gzip|X-Frame-Options:SAMEORIGIN|Cache-Control:public,max-age=172800|Age:1222|Alternate-Protocol:80 \ No newline at end of file diff --git a/profile/zeus.txt b/profile/zeus.txt deleted file mode 100644 index 0e32d64..0000000 --- a/profile/zeus.txt +++ /dev/null @@ -1,7 +0,0 @@ -# Basic Zeus variant profile -# https://malwr.com/analysis/NjIwNTU2ODA2OTUxNDcwNmJiMTMzYzk4YzU4NWQyZDQ/ -# https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/zeus.profile - -"/metro91/admin/1/ppptp.jpg,/metro91/admin/1/secure.php|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)|Host:mahamaya1ifesciences.com|Cache-Control:no-cache|Accept-Encoding: deflate, gzip;q=1.0, *;q=0.5|Accept:*/*" - -"Server:nginx/1.0.4|Content-Type:text/html|Connection:close|X-Powered-By:PHP/5.3.8-1~dotdeb.2" \ No newline at end of file