《Python绝技:运用Python成为顶级黑客》 用Python进行取证调查
在注册表中分析无线访问热点
以管理员权限开启cmd,输入如下命令来列出每个网络显示出profile Guid对网络的描述、网络名和网关的MAC地址
- reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged" /s
使用WinReg读取Windows注册表中的内容
连上注册表,使用OpenKey()函数打开相关的键,在循环中依次分析该键下存储的所有网络network profile,其中FirstNetwork网络名和DefaultGateway默认网关的Mac地址的键值打印出来。
- #coding=utf-
- from winreg import *
- # 将REG_BINARY值转换成一个实际的Mac地址
- def val2addr(val):
- addr = ""
- for ch in val:
- addr += ("%02x " % ord(ch))
- addr = addr.strip(" ").replace(" ", ":")[:]
- return addr
- # 打印网络相关信息
- def printNets():
- net = "/HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/NetworkList/Signatures/Unmanaged"
- key = OpenKey(HKEY_LOCAL_MACHINE, net)
- for i in range():
- try:
- guid = EnumKey(key, i)
- netKey = OpenKey(key, str(guid))
- (n, addr, t) = EnumValue(netKey, )
- (n, name, t) = EnumValue(netKey, )
- macAddr = val2addr(addr)
- netName = name
- print('[+] ' + netName + ' ' + macAddr)
- CloseKey(netKey)
- except:
- break
- if __name__ == "__main__":
- printNets()
使用Mechanize把Mac地址传给Wigle
此处增加了对Wigle网站的访问并将Mac地址传递给Wigle来获取经纬度等物理地址信息。
- #!/usr/bin/python
- #coding=utf-8
- from _winreg import *
- import mechanize
- import urllib
- import re
- import urlparse
- import os
- import optparse
- # 将REG_BINARY值转换成一个实际的Mac地址
- def val2addr(val):
- addr = ""
- for ch in val:
- addr += ("%02x " % ord(ch))
- addr = addr.strip(" ").replace(" ", ":")[0:17]
- return addr
- # 打印网络相关信息
- def printNets(username, password):
- net = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged"
- key = OpenKey(HKEY_LOCAL_MACHINE, net)
- print "\n[*]Networks You have Joined."
- for i in range(100):
- try:
- guid = EnumKey(key, i)
- netKey = OpenKey(key, str(guid))
- (n, addr, t) = EnumValue(netKey, 5)
- (n, name, t) = EnumValue(netKey, 4)
- macAddr = val2addr(addr)
- netName = name
- print '[+] ' + netName + ' ' + macAddr
- wiglePrint(username, password, macAddr)
- CloseKey(netKey)
- except:
- break
- # 通过wigle查找Mac地址对应的经纬度
- def wiglePrint(username, password, netid):
- browser = mechanize.Browser()
- browser.open('http://wigle.net')
- reqData = urllib.urlencode({'credential_0': username, 'credential_1': password})
- browser.open('https://wigle.net/gps/gps/main/login', reqData)
- params = {}
- params['netid'] = netid
- reqParams = urllib.urlencode(params)
- respURL = 'http://wigle.net/gps/gps/main/confirmquery/'
- resp = browser.open(respURL, reqParams).read()
- mapLat = 'N/A'
- mapLon = 'N/A'
- rLat = re.findall(r'maplat=.*\&', resp)
- if rLat:
- mapLat = rLat[0].split('&')[0].split('=')[1]
- rLon = re.findall(r'maplon=.*\&', resp)
- if rLon:
- mapLon = rLon[0].split
- print '[-] Lat: ' + mapLat + ', Lon: ' + mapLon
- def main():
- parser = optparse.OptionParser('usage %prog ' + '-u <wigle username> -p <wigle password>')
- parser.add_option('-u', dest='username', type='string', help='specify wigle password')
- parser.add_option('-p', dest='password', type='string', help='specify wigle username')
- (options, args) = parser.parse_args()
- username = options.username
- password = options.password
- if username == None or password == None:
- print parser.usage
- exit(0)
- else:
- printNets(username, password)
- if __name__ == '__main__':
- main()
使用OS模块寻找被删除的文件/文件夹:
Windows系统中的回收站是一个专门用来存放被删除文件的特殊文件夹。子目录中的字符串表示的是用户的SID,对应机器里一个唯一的用户账户。
寻找被删除的文件/文件夹的函数:
- #!/usr/bin/python
- #coding=utf-8
- import os
- # 逐一测试回收站的目录是否存在,并返回第一个找到的回收站目录
- def returnDir():
- dirs=['C:\\Recycler\\', 'C:\\Recycled\\', 'C:\\$Recycle.Bin\\']
- for recycleDir in dirs:
- if os.path.isdir(recycleDir):
- return recycleDir
- return None
用Python把SID和用户名关联起来:
可以使用Windows注册表把SID转换成一个准确的用户名。以管理员权限运行cmd并输入命令:
- reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2595130515-3345905091-1839164762-1000" /s
- #!/usr/bin/python
- #coding=utf-8
- import os
- import optparse
- from _winreg import *
- # 逐一测试回收站的目录是否存在,并返回第一个找到的回收站目录
- def returnDir():
- dirs=['C:\\Recycler\\', 'C:\\Recycled\\', 'C:\\$Recycle.Bin\\']
- for recycleDir in dirs:
- if os.path.isdir(recycleDir):
- return recycleDir
- return None
- # 操作注册表来获取相应目录属主的用户名
- def sid2user(sid):
- try:
- key = OpenKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" + '\\' + sid)
- (value, type) = QueryValueEx(key, 'ProfileImagePath')
- user = value.split('\\')[-1]
- return user
- except:
- return sid
- def findRecycled(recycleDir):
- dirList = os.listdir(recycleDir)
- for sid in dirList:
- files = os.listdir(recycleDir + sid)
- user = sid2user(sid)
- print '\n[*] Listing Files For User: ' + str(user)
- for file in files:
- print '[+] Found File: ' + str(file)
- def main():
- recycledDir = returnDir()
- findRecycled(recycledDir)
- if __name__ == '__main__':
- main()
使用PyPDF解析PDF文件中的元数据
pyPdf是管理PDF文档的第三方Python库,在Kali中是已经默认安装了的就不需要再去下载安装。
- #!/usr/bin/python
- #coding=utf-8
- import pyPdf
- import optparse
- from pyPdf import PdfFileReader
- # 使用getDocumentInfo()函数提取PDF文档所有的元数据
- def printMeta(fileName):
- pdfFile = PdfFileReader(file(fileName, 'rb'))
- docInfo = pdfFile.getDocumentInfo()
- print "[*] PDF MeataData For: " + str(fileName)
- for meraItem in docInfo:
- print "[+] " + meraItem + ": " + docInfo[meraItem]
- def main():
- parser = optparse.OptionParser("[*]Usage: python pdfread.py -F <PDF file name>")
- parser.add_option('-F', dest='fileName', type='string', help='specify PDF file name')
- (options, args) = parser.parse_args()
- fileName = options.fileName
- if fileName == None:
- print parser.usage
- exit(0)
- else:
- printMeta(fileName)
- if __name__ == '__main__':
- main()
用BeautifulSoup下载图片
- import urllib2
- from bs4 import BeautifulSoup as BS
- from os.path import basename
- from urlparse import urlsplit
- # 通过BeautifulSoup查找URL中所有的img标签
- def findImages(url):
- print '[+] Finding images on ' + url
- urlContent = urllib2.urlopen(url).read()
- soup = BS(urlContent, 'lxml')
- imgTags = soup.findAll('img')
- return imgTags
- # 通过img标签的src属性的值来获取图片URL下载图片
- def downloadImage(imgTag):
- try:
- print '[+] Dowloading image...'
- imgSrc = imgTag['src']
- imgContent = urllib2.urlopen(imgSrc).read()
- imgFileName = basename(urlsplit(imgSrc)[2])
- imgFile = open(imgFileName, 'wb')
- imgFile.write(imgContent)
- imgFile.close()
- return imgFileName
- except:
- return ' '
用Python的图像处理库读取图片中的Exif元数据
这里查看下载图片的元数据中是否含有Exif标签“GPSInfo”,若存在则输出存在信息。
- #!/usr/bin/python
- #coding=utf-8
- import optparse
- from PIL import Image
- from PIL.ExifTags import TAGS
- import urllib2
- from bs4 import BeautifulSoup as BS
- from os.path import basename
- from urlparse import urlsplit
- # 通过BeautifulSoup查找URL中所有的img标签
- def findImages(url):
- print '[+] Finding images on ' + url
- urlContent = urllib2.urlopen(url).read()
- soup = BS(urlContent, 'lxml')
- imgTags = soup.findAll('img')
- return imgTags
- # 通过img标签的src属性的值来获取图片URL下载图片
- def downloadImage(imgTag):
- try:
- print '[+] Dowloading image...'
- imgSrc = imgTag['src']
- imgContent = urllib2.urlopen(imgSrc).read()
- imgFileName = basename(urlsplit(imgSrc)[2])
- imgFile = open(imgFileName, 'wb')
- imgFile.write(imgContent)
- imgFile.close()
- return imgFileName
- except:
- return ' '
- # 获取图像文件的元数据,并寻找是否存在Exif标签“GPSInfo”
- def testForExif(imgFileName):
- try:
- exifData = {}
- imgFile = Image.open(imgFileName)
- info = imgFile._getexif()
- if info:
- for (tag, value) in info.items():
- decoded = TAGS.get(tag, tag)
- exifData[decoded] = value
- exifGPS = exifData['GPSInfo']
- if exifGPS:
- print '[*] ' + imgFileName + ' contains GPS MetaData'
- except:
- pass
- def main():
- parser = optparse.OptionParser('[*]Usage: python Exif.py -u <target url>')
- parser.add_option('-u', dest='url', type='string', help='specify url address')
- (options, args) = parser.parse_args()
- url = options.url
- if url == None:
- print parser.usage
- exit(0)
- else:
- imgTags = findImages(url)
- for imgTag in imgTags:
- imgFileName = downloadImage(imgTag)
- testForExif(imgFileName)
- if __name__ == '__main__':
- main()
使用Python和SQLite3自动查询Skype的数据库
- #!/usr/bin/python
- #coding=utf-8
- import sqlite3
- import optparse
- import os
- # 连接main.db数据库,申请游标,执行SQL语句并返回结果
- def printProfile(skypeDB):
- conn = sqlite3.connect(skypeDB)
- c = conn.cursor()
- c.execute("SELECT fullname, skypename, city, country, datetime(profile_timestamp,'unixepoch') FROM Accounts;")
- for row in c:
- print '[*] -- Found Account --'
- print '[+] User : '+str(row[0])
- print '[+] Skype Username : '+str(row[1])
- print '[+] Location : '+str(row[2])+','+str(row[3])
- print '[+] Profile Date : '+str(row[4])
- # 获取联系人的相关信息
- def printContacts(skypeDB):
- conn = sqlite3.connect(skypeDB)
- c = conn.cursor()
- c.execute("SELECT displayname, skypename, city, country, phone_mobile, birthday FROM Contacts;")
- for row in c:
- print '\n[*] -- Found Contact --'
- print '[+] User : ' + str(row[0])
- print '[+] Skype Username : ' + str(row[1])
- if str(row[2]) != '' and str(row[2]) != 'None':
- print '[+] Location : ' + str(row[2]) + ',' + str(row[3])
- if str(row[4]) != 'None':
- print '[+] Mobile Number : ' + str(row[4])
- if str(row[5]) != 'None':
- print '[+] Birthday : ' + str(row[5])
- def printCallLog(skypeDB):
- conn = sqlite3.connect(skypeDB)
- c = conn.cursor()
- c.execute("SELECT datetime(begin_timestamp,'unixepoch'), identity FROM calls, conversations WHERE calls.conv_dbid = conversations.id;")
- print '\n[*] -- Found Calls --'
- for row in c:
- print '[+] Time: ' + str(row[0]) + ' | Partner: ' + str(row[1])
- def printMessages(skypeDB):
- conn = sqlite3.connect(skypeDB)
- c = conn.cursor()
- c.execute("SELECT datetime(timestamp,'unixepoch'), dialog_partner, author, body_xml FROM Messages;")
- print '\n[*] -- Found Messages --'
- for row in c:
- try:
- if 'partlist' not in str(row[3]):
- if str(row[1]) != str(row[2]):
- msgDirection = 'To ' + str(row[1]) + ': '
- else:
- msgDirection = 'From ' + str(row[2]) + ' : '
- print 'Time: ' + str(row[0]) + ' ' + msgDirection + str(row[3])
- except:
- pass
- def main():
- parser = optparse.OptionParser("[*]Usage: python skype.py -p <skype profile path> ")
- parser.add_option('-p', dest='pathName', type='string', help='specify skype profile path')
- (options, args) = parser.parse_args()
- pathName = options.pathName
- if pathName == None:
- print parser.usage
- exit(0)
- elif os.path.isdir(pathName) == False:
- print '[!] Path Does Not Exist: ' + pathName
- exit(0)
- else:
- skypeDB = os.path.join(pathName, 'main.db')
- if os.path.isfile(skypeDB):
- printProfile(skypeDB)
- printContacts(skypeDB)
- printCallLog(skypeDB)
- printMessages(skypeDB)
- else:
- print '[!] Skype Database ' + 'does not exist: ' + skpeDB
- if __name__ == '__main__':
- main()
用Python解析火狐浏览器的SQLite3数据库
主要关注文件:cookie.sqlite、places.sqlite、downloads.sqlite
- #!/usr/bin/python
- #coding=utf-8
- import re
- import optparse
- import os
- import sqlite3
- # 解析打印downloads.sqlite文件的内容,输出浏览器下载的相关信息
- def printDownloads(downloadDB):
- conn = sqlite3.connect(downloadDB)
- c = conn.cursor()
- c.execute('SELECT name, source, datetime(endTime/1000000, \'unixepoch\') FROM moz_downloads;')
- print '\n[*] --- Files Downloaded --- '
- for row in c:
- print '[+] File: ' + str(row[0]) + ' from source: ' + str(row[1]) + ' at: ' + str(row[2])
- # 解析打印cookies.sqlite文件的内容,输出cookie相关信息
- def printCookies(cookiesDB):
- try:
- conn = sqlite3.connect(cookiesDB)
- c = conn.cursor()
- c.execute('SELECT host, name, value FROM moz_cookies')
- print '\n[*] -- Found Cookies --'
- for row in c:
- host = str(row[0])
- name = str(row[1])
- value = str(row[2])
- print '[+] Host: ' + host + ', Cookie: ' + name + ', Value: ' + value
- except Exception, e:
- if 'encrypted' in str(e):
- print '\n[*] Error reading your cookies database.'
- print '[*] Upgrade your Python-Sqlite3 Library'
- # 解析打印places.sqlite文件的内容,输出历史记录
- def printHistory(placesDB):
- try:
- conn = sqlite3.connect(placesDB)
- c = conn.cursor()
- c.execute("select url, datetime(visit_date/1000000, 'unixepoch') from moz_places, moz_historyvisits where visit_count > 0 and moz_places.id==moz_historyvisits.place_id;")
- print '\n[*] -- Found History --'
- for row in c:
- url = str(row[0])
- date = str(row[1])
- print '[+] ' + date + ' - Visited: ' + url
- except Exception, e:
- if 'encrypted' in str(e):
- print '\n[*] Error reading your places database.'
- print '[*] Upgrade your Python-Sqlite3 Library'
- exit(0)
- # 解析打印places.sqlite文件的内容,输出百度的搜索记录
- def printBaidu(placesDB):
- conn = sqlite3.connect(placesDB)
- c = conn.cursor()
- c.execute("select url, datetime(visit_date/1000000, 'unixepoch') from moz_places, moz_historyvisits where visit_count > 0 and moz_places.id==moz_historyvisits.place_id;")
- print '\n[*] -- Found Baidu --'
- for row in c:
- url = str(row[0])
- date = str(row[1])
- if 'baidu' in url.lower():
- r = re.findall(r'wd=.*?\&', url)
- if r:
- search=r[0].split('&')[0]
- search=search.replace('wd=', '').replace('+', ' ')
- print '[+] '+date+' - Searched For: ' + search
- def main():
- parser = optparse.OptionParser("[*]Usage: firefoxParse.py -p <firefox profile path> ")
- parser.add_option('-p', dest='pathName', type='string', help='specify skype profile path')
- (options, args) = parser.parse_args()
- pathName = options.pathName
- if pathName == None:
- print parser.usage
- exit(0)
- elif os.path.isdir(pathName) == False:
- print '[!] Path Does Not Exist: ' + pathName
- exit(0)
- else:
- downloadDB = os.path.join(pathName, 'downloads.sqlite')
- if os.path.isfile(downloadDB):
- printDownloads(downloadDB)
- else:
- print '[!] Downloads Db does not exist: '+downloadDB
- cookiesDB = os.path.join(pathName, 'cookies.sqlite')
- if os.path.isfile(cookiesDB):
- pass
- printCookies(cookiesDB)
- else:
- print '[!] Cookies Db does not exist:' + cookiesDB
- placesDB = os.path.join(pathName, 'places.sqlite')
- if os.path.isfile(placesDB):
- printHistory(placesDB)
- printBaidu(placesDB)
- else:
- print '[!] PlacesDb does not exist: ' + placesDB
- if __name__ == '__main__':
- main()
用python调查iTunes手机备份
- #!/usr/bin/python
- #coding=utf-8
- import os
- import sqlite3
- import optparse
- def isMessageTable(iphoneDB):
- try:
- conn = sqlite3.connect(iphoneDB)
- c = conn.cursor()
- c.execute('SELECT tbl_name FROM sqlite_master WHERE type==\"table\";')
- for row in c:
- if 'message' in str(row):
- return True
- except:
- return False
- def printMessage(msgDB):
- try:
- conn = sqlite3.connect(msgDB)
- c = conn.cursor()
- c.execute('select datetime(date,\'unixepoch\'), address, text from message WHERE address>0;')
- for row in c:
- date = str(row[0])
- addr = str(row[1])
- text = row[2]
- print '\n[+] Date: '+date+', Addr: '+addr + ' Message: ' + text
- except:
- pass
- def main():
- parser = optparse.OptionParser("[*]Usage: python iphoneParse.py -p <iPhone Backup Directory> ")
- parser.add_option('-p', dest='pathName', type='string',help='specify skype profile path')
- (options, args) = parser.parse_args()
- pathName = options.pathName
- if pathName == None:
- print parser.usage
- exit(0)
- else:
- dirList = os.listdir(pathName)
- for fileName in dirList:
- iphoneDB = os.path.join(pathName, fileName)
- if isMessageTable(iphoneDB):
- try:
- print '\n[*] --- Found Messages ---'
- printMessage(iphoneDB)
- except:
- pass
- if __name__ == '__main__':
- main()
《Python绝技:运用Python成为顶级黑客》 用Python进行取证调查的更多相关文章
- 《Python绝技:运用Python成为顶级黑客》 Python实用小工具
1.实现简单探测 使用socket模块,connect()方法建立与指定IP和端口的网络连接:revc(1024)方法将读取套接字中接下来的1024B数据 mport socket import sy ...
- python绝技:运用python成为顶级黑客|中文pdf完整版[42MB|网盘地址附提取码自行提取|
Python 是一门常用的编程语言,它不仅上手容易,而且还拥有丰富的支持库.对经常需要针对自己所 处的特定场景编写专用工具的黑客.计算机犯罪调查人员.渗透测试师和安全工程师来说,Python 的这些 ...
- Python 绝技 —— TCP服务器与客户端
i春秋作家:wasrehpic 0×00 前言 「网络」一直以来都是黑客最热衷的竞技场.数据在网络中肆意传播:主机扫描.代码注入.网络嗅探.数据篡改重放.拒绝服务攻击……黑客的功底越深厚,能做的就越多 ...
- Python 绝技 —— UDP 服务器与客户端
i春秋作家:wasrehpic 0x00 前言 在上一篇文章「Python 绝技 —— TCP 服务器与客户端」中,介绍了传输层的核心协议 TCP ,并运用 Python 脚本的 socket 模块演 ...
- Python爆火的原因与未来|内附Python学习书籍大礼包无偿领取|
从12年到20年,python以肉眼可见的趋势超过了java,成为了当今It界人人皆知的编程语言. python为什么这么火? 网络编程语言搜索指数 适合初学者 Python具有语法简单.语句清晰的特 ...
- Python高手之路【一】初识python
Python简介 1:Python的创始人 Python (英国发音:/ˈpaɪθən/ 美国发音:/ˈpaɪθɑːn/), 是一种解释型.面向对象.动态数据类型的高级程序设计语言,由荷兰人Guido ...
- 跟着老男孩教育学Python开发【第一篇】:初识Python
Python简介 Python前世今生 Python的创始人为吉多·范罗苏姆(Guido van Rossum).1989年的圣诞节期间,吉多·范罗苏姆为了在阿姆斯特丹打发时间,决心开发一个新的脚本解 ...
- 【Python五篇慢慢弹】数据结构看python
数据结构看python 作者:白宁超 2016年10月9日14:04:47 摘要:继<快速上手学python>一文之后,笔者又将python官方文档认真学习下.官方给出的pythondoc ...
- python之最强王者(2)——python基础语法
背景介绍:由于本人一直做java开发,也是从txt开始写hello,world,使用javac命令编译,一直到使用myeclipse,其中的道理和辛酸都懂(请容许我擦干眼角的泪水),所以对于pytho ...
- Python之路3【第一篇】Python基础
本节内容 Python简介 Python安装 第一个Python程序 编程语言的分类 Python简介 1.Python的由来 python的创始人为吉多·范罗苏姆(Guido van Rossum) ...
随机推荐
- 【每日更新】【SQL实用大杂烩】
11.分页1. select * from (select top 2 * from( select top 3 * from t_table order by field1) a order by ...
- Kendo UI 的弹框
弹出代码: "use strict"; (function (kendo) { kendo.messageShow = function (message, option) { v ...
- 面向对象 Java练习
package xin.bao; public class Pingguo { private String Zhonglei;// 种类 public String getZhonglei() { ...
- php调java接口
1.下载二进制的 JavaBridge.jar包.java/Java.inc库文件,下载地址:http://php-java-bridge.sourceforge.net/pjb/download.p ...
- dedecms目录说明
1.有多个common.inc.php文件,注意引入的是哪一个,引入以后,里面的常量才可以用: 2.路径向上跳转 require_once('../../plus/phpexcel/PHPExcel. ...
- Laravel框架中实现supervisor执行异步进程
问题描述:在使用Laravel框架实现动态网页时,若有些操作计算量较大,为了不影响用户体验,往往需要使用异步方式去处理.这里使用supervisor和laravel自带的queues实现. Super ...
- pca总结,非常详细
#coding=utf- from numpy import * '''通过方差的百分比来计算将数据降到多少维是比较合适的, 函数传入的参数是特征值和百分比percentage,返回需要降到的维度数n ...
- 命名空间namespace ,以及重复定义的问题解析
名字空间是用来划分冲突域的,把全局名字空间划分成几个小的名字空间.全局函数,全局变量,以及类的名字是在同一个全局名字空间中,有时为了防止命名冲突,会把这些名字放到不同的名字空间中去. 首先我们看一下名 ...
- 第一部分 Mysql的基础
一.登录: mysql -h localhost -u root -p #其中,-h表示后面跟着的是服务器主机地址,-u后面跟着的是用户名,-p表示密码# 本地测试: 账号: 二.也可以省略写成: m ...
- Robotframework 之常用断言关键字简介
任何自动化测试框架或实例中断言是必不可少的,Robotframework同样如此,那下面就介绍下其常用断言关键字. 1.Should Be Empty 判断是否为空,如果不为空,执行失败,示例: ...